diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8d33ca6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +additional diff --git a/Makefile b/Makefile index ad523fc..6a184ad 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: help build-upstream build-scratch build-kali build-all test clean push +.PHONY: help build-upstream build-scratch build-kali build-all test clean push generate-data generate-master coverage-report # Default target help: @@ -16,6 +16,9 @@ help: @echo " shell Interactive shell (REMnux build)" @echo " shell-scratch Interactive shell (scratch build)" @echo " coverage Check help coverage" + @echo " generate-data Convert FOR610 YAML to JSON" + @echo " generate-master Build master inventory and all help artifacts" + @echo " coverage-report Generate tool coverage gap report" @echo "" # Build targets @@ -63,3 +66,29 @@ shell: coverage: @echo "Checking help coverage..." @docker run --rm tabledevil/file-analysis:latest /usr/local/bin/check-help-coverage.sh || true + +# Generate JSON from FOR610 YAML knowledge base +generate-data: + @echo "Generating JSON from FOR610 YAML files..." + @mkdir -p data/generated + @for f in data/for610/*.yaml; do \ + name=$$(basename "$$f" .yaml); \ + python3 -c "import yaml,json; json.dump(yaml.safe_load(open('$$f')),open('data/generated/$$name.json','w'),indent=2)"; \ + echo " ✓ $$name.json"; \ + done + @echo "✓ JSON files generated in data/generated/" + +# Build master inventory from all 3 sources and generate all help artifacts +generate-master: generate-data + @echo "Building master tool inventory..." + python3 scripts/parse-salt-states.py + python3 scripts/scrape-remnux-docs.py + python3 scripts/build-master-inventory.py + python3 scripts/generate-help-artifacts.py + python3 scripts/generate-coverage-report.py + @echo "✓ Master inventory and all artifacts generated" + +# Generate coverage report only (requires tools-master.yaml to exist) +coverage-report: + python3 scripts/generate-coverage-report.py + @echo "Report: data/generated/coverage-report.md" diff --git a/data/for610/README.md b/data/for610/README.md new file mode 100644 index 0000000..4482425 --- /dev/null +++ b/data/for610/README.md @@ -0,0 +1,62 @@ +# FOR610 Knowledge Base + +Structured data extracted from the SANS FOR610 (Reverse-Engineering Malware) course materials. + +## Files + +| File | Description | +|------|-------------| +| `categories.yaml` | Tool category taxonomy (18 categories) | +| `tools.yaml` | Master tool catalog (~110 tools with metadata) | +| `labs.yaml` | All 47 labs with ordered tool sequences | +| `workflows.yaml` | 8 high-level analysis workflow patterns | + +## Schema + +### tools.yaml + +Each tool entry contains: + +- `id` — unique kebab-case identifier (used for cross-references) +- `name` — display name as typed on CLI +- `aliases` — alternative names +- `description` — one-line description +- `category` — FK to categories.yaml +- `platform` — `linux` | `windows` | `both` | `online` +- `in_remnux` — boolean, available in REMnux container +- `labs` — list of lab IDs that use this tool +- `typical_usage` — 1-3 command examples +- `for610_sections` — which course sections cover this tool +- `tags` — free-form search tags + +### labs.yaml + +Each lab entry contains: + +- `id` — lab number (e.g., "3.1") +- `section` — course section (1-5) +- `title` — full lab title +- `sample` — malware specimen analyzed +- `analysis_type` — controlled vocabulary +- `tools_used` — **ordered** list with `tool_id`, `platform`, and `purpose` +- `key_techniques` — techniques demonstrated +- `prerequisite_labs` — dependencies (optional) +- `tags` — free-form search tags + +### workflows.yaml + +Each workflow contains ordered steps with tool references and related labs. + +## Generating JSON + +```bash +make generate-data +``` + +This converts all YAML files to JSON under `data/generated/` using `yq`. + +## Cross-Reference Integrity + +Tool IDs in `labs.yaml` → `tools_used[].tool_id` must exist in `tools.yaml`. +Lab IDs in `tools.yaml` → `labs[]` must exist in `labs.yaml`. +Category IDs in `tools.yaml` → `category` must exist in `categories.yaml`. diff --git a/data/for610/categories.yaml b/data/for610/categories.yaml new file mode 100644 index 0000000..fe3634d --- /dev/null +++ b/data/for610/categories.yaml @@ -0,0 +1,75 @@ +# FOR610 Tool Category Taxonomy +# Each category groups related malware analysis tools + +categories: + - id: pdf-analysis + name: "PDF Analysis" + description: "Tools for analyzing PDF document structure, objects, and embedded content" + + - id: document-analysis + name: "Document & Macro Analysis" + description: "Tools for examining Office documents, RTF files, email, and embedded macros" + + - id: static-analysis-pe + name: "Static Analysis (PE)" + description: "Tools for static examination of Windows PE executables — headers, imports, strings, entropy" + + - id: behavioral-analysis + name: "Behavioral Analysis" + description: "Tools for monitoring runtime behavior — processes, filesystem, registry, API calls" + + - id: network-analysis + name: "Network Analysis & Interception" + description: "Tools for capturing, analyzing, and simulating network traffic" + + - id: code-analysis + name: "Code Analysis & Disassembly" + description: "Disassemblers and decompilers for static code-level analysis" + + - id: debugging + name: "Debugging" + description: "Debuggers for dynamic code-level analysis, breakpoints, and memory inspection" + + - id: emulation + name: "Emulation & Sandboxing" + description: "Tools that emulate execution of binaries, shellcode, or scripts without native execution" + + - id: unpacking + name: "Unpacking & Dumping" + description: "Tools for unpacking compressed/encrypted executables and dumping from memory" + + - id: dotnet-analysis + name: ".NET Analysis" + description: "Decompilers, debuggers, and deobfuscators specialized for .NET/CLR malware" + + - id: javascript-analysis + name: "JavaScript Analysis" + description: "Tools for deobfuscating and analyzing malicious JavaScript" + + - id: powershell-analysis + name: "PowerShell Analysis" + description: "Tools for debugging, decoding, and analyzing malicious PowerShell scripts" + + - id: string-deobfuscation + name: "String & Data Deobfuscation" + description: "Tools for decoding XOR, Base64, stack strings, and other obfuscation techniques" + + - id: yara-detection + name: "YARA & Capability Detection" + description: "Pattern matching and capability identification tools" + + - id: anti-analysis + name: "Anti-Analysis Bypass" + description: "Plugins and techniques for bypassing debugger detection and anti-analysis measures" + + - id: online-platforms + name: "Online Analysis Platforms" + description: "Web-based sandboxes, scanners, and threat intelligence services" + + - id: virtualization + name: "Virtualization" + description: "Hypervisors and VM platforms for isolated malware analysis labs" + + - id: utilities + name: "Utilities" + description: "General-purpose utilities used within malware analysis workflows" diff --git a/data/for610/labs.yaml b/data/for610/labs.yaml new file mode 100644 index 0000000..7449dd9 --- /dev/null +++ b/data/for610/labs.yaml @@ -0,0 +1,1200 @@ +# FOR610 Lab/Workflow Catalog +# All labs from the SANS FOR610 workbook with ordered tool usage +# Tool order reflects the actual step-by-step workflow sequence + +labs: + + # ============================================================ + # SECTION 1: MALWARE ANALYSIS FUNDAMENTALS + # ============================================================ + + - id: "1.1" + section: 1 + title: "Static Properties Analysis of brbbot.exe" + sample: "brbbot.exe" + analysis_type: static-properties + tools_used: + - tool_id: unzip + platform: linux + purpose: "Extract malware sample from archive" + - tool_id: pestr + platform: linux + purpose: "Extract ASCII and Unicode strings" + - tool_id: pestudio + platform: windows + purpose: "Examine PE properties, imports, sections, and anomalies" + - tool_id: peframe + platform: linux + purpose: "Examine static properties and detect anomalies" + key_techniques: + - string-extraction + - pe-header-analysis + - anomaly-detection + - import-analysis + tags: [static-analysis, pe, strings, triage] + + - id: "1.2" + section: 1 + title: "Initial Behavioral Analysis of brbbot.exe" + sample: "brbbot.exe" + analysis_type: behavioral + tools_used: + - tool_id: system-informer + platform: windows + purpose: "Monitor running processes and network connections" + - tool_id: process-monitor + platform: windows + purpose: "Capture file system, registry, and process activity" + - tool_id: regshot + platform: windows + purpose: "Take registry/filesystem snapshot before infection" + - tool_id: wireshark + platform: linux + purpose: "Capture network traffic from malware" + - tool_id: regshot + platform: windows + purpose: "Compare registry/filesystem snapshot after infection" + - tool_id: procdot + platform: windows + purpose: "Visualize Process Monitor logs for analysis" + key_techniques: + - process-monitoring + - registry-monitoring + - network-capture + - behavioral-visualization + prerequisite_labs: ["1.1"] + tags: [behavioral, monitoring, registry, network] + + - id: "1.3" + section: 1 + title: "Intercepting brbbot.exe's Network Traffic" + sample: "brbbot.exe" + analysis_type: network-interception + tools_used: + - tool_id: fakedns + platform: linux + purpose: "Spoof DNS to redirect malware traffic to REMnux" + - tool_id: nslookup + platform: windows + purpose: "Verify DNS spoofing is working" + - tool_id: wireshark + platform: linux + purpose: "Capture redirected network traffic" + - tool_id: httpd + platform: linux + purpose: "Simulate C2 web server" + - tool_id: visual-studio-code + platform: linux + purpose: "Edit web server response files" + key_techniques: + - dns-spoofing + - traffic-interception + - c2-analysis + - http-payload-examination + prerequisite_labs: ["1.2"] + tags: [network, dns, c2, interception] + + - id: "1.4" + section: 1 + title: "Emulating the Execution of brbbot.exe" + sample: "brbbot.exe" + analysis_type: emulation + tools_used: + - tool_id: speakeasy + platform: linux + purpose: "Emulate Windows API calls without native execution" + - tool_id: visual-studio-code + platform: linux + purpose: "Examine emulation output" + - tool_id: jq + platform: linux + purpose: "Extract API names from JSON report" + - tool_id: capa + platform: linux + purpose: "Identify malware capabilities with MITRE ATT&CK mapping" + key_techniques: + - api-emulation + - capability-detection + - json-analysis + prerequisite_labs: ["1.1"] + tags: [emulation, api-analysis, capa, speakeasy] + + - id: "1.5" + section: 1 + title: "Decrypting brbbot.exe's Configuration File" + sample: "brbbot.exe" + analysis_type: debugging + tools_used: + - tool_id: x64dbg + platform: windows + purpose: "Debug malware, set breakpoints on ReadFile and CryptDecrypt APIs" + - tool_id: pestudio + platform: windows + purpose: "Examine imports to identify encryption APIs" + - tool_id: cyberchef + platform: linux + purpose: "Decode XOR-encrypted exfiltrated payload" + key_techniques: + - api-breakpoints + - configuration-decryption + - xor-decoding + - handle-inspection + prerequisite_labs: ["1.1", "1.3"] + tags: [debugging, decryption, xor, c2-config] + + - id: "1.6" + section: 1 + title: "Experimenting with C2 Functionality in brbbot.exe" + sample: "brbbot.exe" + analysis_type: behavioral + tools_used: + - tool_id: httpd + platform: linux + purpose: "Serve C2 commands via ads.php" + - tool_id: wireshark + platform: linux + purpose: "Observe C2 request/response traffic" + - tool_id: system-informer + platform: windows + purpose: "Monitor process spawning from C2 commands" + key_techniques: + - c2-command-testing + - beaconing-analysis + - command-execution-monitoring + prerequisite_labs: ["1.3", "1.5"] + tags: [c2, behavioral, command-control] + + - id: "1.7" + section: 1 + title: "Intercepting HTTPS Connections Initiated by ghyte.exe" + sample: "ghyte.exe" + analysis_type: network-interception + tools_used: + - tool_id: wireshark + platform: linux + purpose: "Capture initial network traffic" + - tool_id: fakedns + platform: linux + purpose: "Redirect DNS for HTTPS interception" + - tool_id: system-informer + platform: windows + purpose: "Monitor malware process" + - tool_id: inetsim + platform: linux + purpose: "Emulate HTTPS and other internet services" + key_techniques: + - https-interception + - service-emulation + - tls-analysis + prerequisite_labs: ["1.1"] + tags: [network, https, inetsim, interception] + + - id: "1.8" + section: 1 + title: "Intercepting IP Address-Based Traffic Using iptables" + sample: "getdown.exe" + analysis_type: network-interception + tools_used: + - tool_id: wireshark + platform: linux + purpose: "Capture network traffic" + - tool_id: system-informer + platform: windows + purpose: "Monitor malware process" + - tool_id: httpd + platform: linux + purpose: "Serve responses to redirected traffic" + - tool_id: iptables + platform: linux + purpose: "Redirect IP-based traffic via NAT rules" + key_techniques: + - iptables-redirection + - ip-based-interception + - nat-rules + prerequisite_labs: ["1.3"] + tags: [network, iptables, traffic-redirection] + + # ============================================================ + # SECTION 2: REVERSING MALICIOUS CODE + # ============================================================ + + - id: "2.1" + section: 2 + title: "Intro to Assembly and Ghidra" + sample: "svchost.exe" + analysis_type: code-analysis + tools_used: + - tool_id: ghidra + platform: windows + purpose: "Disassemble and decompile — navigate function graphs, symbol trees, imports" + key_techniques: + - ghidra-navigation + - function-graph + - import-analysis + - cross-references + - equate-constants + - commenting + tags: [assembly, ghidra, code-analysis, fundamentals] + + - id: "2.2" + section: 2 + title: "HTTP C2 Analysis" + sample: "svchost.exe" + analysis_type: code-analysis + tools_used: + - tool_id: ghidra + platform: windows + purpose: "Analyze HTTP C2 code patterns and API usage" + key_techniques: + - http-api-identification + - data-type-archives + - parameter-analysis + - function-renaming + prerequisite_labs: ["2.1"] + tags: [c2, http, api-patterns, ghidra] + + - id: "2.3" + section: 2 + title: "Function Components, Part 1" + sample: "svchost.exe" + analysis_type: code-analysis + tools_used: + - tool_id: ghidra + platform: windows + purpose: "Analyze function prologue, epilogue, stack frames, and local variables" + key_techniques: + - function-prologue + - function-epilogue + - stack-frame + - local-variables + prerequisite_labs: ["2.1"] + tags: [assembly, functions, stack, ghidra] + + - id: "2.4" + section: 2 + title: "Function Components, Part 2" + sample: "svchost.exe" + analysis_type: code-analysis + tools_used: + - tool_id: ghidra + platform: windows + purpose: "Analyze function parameters, calling conventions, and return values" + key_techniques: + - calling-conventions + - parameter-passing + - return-values + prerequisite_labs: ["2.3"] + tags: [assembly, functions, calling-conventions, ghidra] + + - id: "2.5" + section: 2 + title: "Loop Components" + sample: "svchost.exe" + analysis_type: code-analysis + tools_used: + - tool_id: ghidra + platform: windows + purpose: "Identify loops using string references and control flow analysis" + key_techniques: + - string-references + - loop-identification + - control-flow + prerequisite_labs: ["2.1"] + tags: [assembly, loops, control-flow, ghidra] + + - id: "2.6" + section: 2 + title: "Compound Expressions" + sample: "svchost.exe" + analysis_type: code-analysis + tools_used: + - tool_id: ghidra + platform: windows + purpose: "Analyze complex conditional logic and nested decisions" + key_techniques: + - compound-conditions + - nested-logic + - decompiler-interpretation + prerequisite_labs: ["2.1"] + tags: [assembly, conditionals, ghidra] + + - id: "2.7" + section: 2 + title: "Dropper Analysis" + sample: "ishelp.dll" + analysis_type: code-analysis + tools_used: + - tool_id: pestudio + platform: windows + purpose: "Confirm DLL type and examine exports" + - tool_id: ghidra + platform: windows + purpose: "Analyze resource extraction and file dropping code" + key_techniques: + - dll-analysis + - exported-functions + - resource-extraction + - file-dropping + prerequisite_labs: ["2.1"] + tags: [dropper, dll, resources, ghidra] + + - id: "2.8" + section: 2 + title: "Intro to 64-bit Code Analysis" + sample: "64-bit specimen" + analysis_type: code-analysis + tools_used: + - tool_id: ghidra + platform: windows + purpose: "Analyze 64-bit calling conventions and register usage" + key_techniques: + - x64-calling-convention + - register-usage + - schtasks-persistence + prerequisite_labs: ["2.1"] + tags: [64-bit, assembly, x64, ghidra] + + # ============================================================ + # SECTION 3: BEYOND TRADITIONAL EXECUTABLES + # ============================================================ + + - id: "3.1" + section: 3 + title: "Examining steel1.pdf with pdf-parser.py" + sample: "steel1.pdf" + analysis_type: pdf-analysis + tools_used: + - tool_id: unzip + platform: linux + purpose: "Extract sample from archive" + - tool_id: pdfid-py + platform: linux + purpose: "Scan for suspicious PDF keywords (/URI, /JavaScript, /OpenAction)" + - tool_id: pdf-parser-py + platform: linux + purpose: "Parse PDF objects, extract URLs, and dump embedded images" + - tool_id: feh + platform: linux + purpose: "View extracted image from PDF object" + key_techniques: + - pdf-keyword-scanning + - object-extraction + - url-extraction + - embedded-image-analysis + tags: [pdf, phishing, static-analysis] + + - id: "3.2" + section: 3 + title: "Investigating the 'crophysi' Website with Fiddler" + sample: "crophysi website" + analysis_type: web-analysis + tools_used: + - tool_id: fiddler + platform: windows + purpose: "Load and analyze captured HTTP/HTTPS traffic" + key_techniques: + - redirection-chain-analysis + - http-request-inspection + - payload-extraction + tags: [web, http, fiddler, traffic-analysis] + + - id: "3.3" + section: 3 + title: "Analyzing mydoc.docm with oledump.py" + sample: "mydoc.docm" + analysis_type: document-analysis + tools_used: + - tool_id: unzip + platform: linux + purpose: "Extract sample from archive" + - tool_id: trid + platform: linux + purpose: "Identify file format (OOXML)" + - tool_id: oledump-py + platform: linux + purpose: "List OLE streams and extract VBA macros" + - tool_id: numbers-to-string-py + platform: linux + purpose: "Convert decimal sequences to readable strings" + - tool_id: visual-studio-code + platform: linux + purpose: "View extracted macro code" + key_techniques: + - file-format-identification + - ole-stream-analysis + - vba-macro-extraction + - string-decoding + tags: [office, vba, macro, oledump] + + - id: "3.4" + section: 3 + title: "Analyzing PowerShell and Shellcode Artifacts in checkbox.doc" + sample: "checkbox.doc" + analysis_type: document-analysis + tools_used: + - tool_id: unzip + platform: linux + purpose: "Extract sample" + - tool_id: file + platform: linux + purpose: "Identify file type" + - tool_id: trid + platform: linux + purpose: "Confirm OLE2 format" + - tool_id: oledump-py + platform: linux + purpose: "Extract OLE streams and identify macro streams" + - tool_id: base64dump-py + platform: linux + purpose: "Decode Base64-encoded PowerShell from UserForm" + - tool_id: gunzip + platform: linux + purpose: "Decompress gzipped payload" + - tool_id: translate-py + platform: linux + purpose: "XOR decode shellcode (byte ^ 35)" + - tool_id: strings + platform: linux + purpose: "Extract strings from decoded shellcode" + - tool_id: scdbgc + platform: linux + purpose: "Emulate shellcode to identify behavior" + - tool_id: yara + platform: linux + purpose: "Scan for known malware patterns" + - tool_id: 1768-py + platform: linux + purpose: "Parse Cobalt Strike beacon configuration" + key_techniques: + - multi-stage-decoding + - base64-gunzip-xor-chain + - shellcode-emulation + - cobalt-strike-identification + prerequisite_labs: ["3.3"] + tags: [office, powershell, shellcode, cobalt-strike, multi-stage] + + - id: "3.5" + section: 3 + title: "Examining qa.doc With rtfdump.py, scdbgc, and runsc" + sample: "qa.doc" + analysis_type: document-analysis + tools_used: + - tool_id: unzip + platform: linux + purpose: "Extract sample" + - tool_id: file + platform: linux + purpose: "Identify RTF format" + - tool_id: rtfdump-py + platform: linux + purpose: "Parse RTF structure, locate hex-encoded embedded objects" + - tool_id: xorsearch + platform: linux + purpose: "Detect shellcode patterns in extracted binary" + - tool_id: scdbgc + platform: linux + purpose: "Emulate extracted shellcode" + - tool_id: runsc32 + platform: windows + purpose: "Execute shellcode for dynamic analysis" + - tool_id: x32dbg + platform: windows + purpose: "Debug shellcode execution" + - tool_id: rar + platform: linux + purpose: "Extract self-extracting RAR payloads" + key_techniques: + - rtf-structure-analysis + - shellcode-detection + - shellcode-emulation + - self-extracting-archive-analysis + prerequisite_labs: ["3.4"] + tags: [rtf, shellcode, exploitation, rar] + + - id: "3.6" + section: 3 + title: "Deobfuscating loveyou.js with SpiderMonkey" + sample: "loveyou.js" + analysis_type: javascript-deobfuscation + tools_used: + - tool_id: unzip + platform: linux + purpose: "Extract sample" + - tool_id: js-beautify + platform: linux + purpose: "Format obfuscated JavaScript for readability" + - tool_id: visual-studio-code + platform: linux + purpose: "Review beautified code" + - tool_id: spidermonkey + platform: linux + purpose: "Execute JavaScript with objects.js to deobfuscate" + - tool_id: cscript + platform: windows + purpose: "Execute JavaScript for AMSI monitoring" + - tool_id: logman + platform: windows + purpose: "Start AMSI event trace session" + - tool_id: amsiscriptcontentretrieval + platform: windows + purpose: "Extract monitored script content from AMSI logs" + - tool_id: notepadpp + platform: windows + purpose: "View extracted AMSI output" + key_techniques: + - javascript-beautification + - spidermonkey-execution + - objects-js-simulation + - amsi-monitoring + tags: [javascript, deobfuscation, spidermonkey, amsi] + + - id: "3.7" + section: 3 + title: "Deobfuscating fgg.js Using SpiderMonkey" + sample: "fgg.js" + analysis_type: javascript-deobfuscation + tools_used: + - tool_id: unzip + platform: linux + purpose: "Extract sample" + - tool_id: spidermonkey + platform: linux + purpose: "Execute JavaScript (identify missing location.href)" + - tool_id: visual-studio-code + platform: linux + purpose: "Edit objects.js to set location.href" + - tool_id: spidermonkey + platform: linux + purpose: "Re-execute with modified objects.js to deobfuscate" + key_techniques: + - environment-simulation + - objects-js-customization + - location-href-spoofing + prerequisite_labs: ["3.6"] + tags: [javascript, deobfuscation, spidermonkey] + + - id: "3.8" + section: 3 + title: "Decoding the Initial Script with Fiddler and CyberChef" + sample: "roomsvisitor.saz" + analysis_type: web-analysis + tools_used: + - tool_id: fiddler + platform: windows + purpose: "Load captured HTTP traffic and follow redirect chain" + - tool_id: notepadpp + platform: windows + purpose: "View Base64-encoded PowerShell command" + - tool_id: cyberchef + platform: both + purpose: "Decode Base64 and UTF-16LE to reveal PowerShell" + key_techniques: + - redirect-chain-analysis + - base64-decoding + - utf16-decoding + - powershell-extraction + prerequisite_labs: ["3.2"] + tags: [web, base64, powershell, cyberchef] + + - id: "3.9" + section: 3 + title: "Decoding wrcaf.ps1 With Fiddler and PowerShell ISE" + sample: "wrcaf.ps1" + analysis_type: powershell-analysis + tools_used: + - tool_id: fiddler + platform: windows + purpose: "Extract PowerShell script from HTTP traffic" + - tool_id: notepadpp + platform: windows + purpose: "Initial script viewing" + - tool_id: powershell-ise + platform: windows + purpose: "Debug script with breakpoints to extract decoded payload" + key_techniques: + - powershell-debugging + - breakpoint-usage + - variable-extraction + - invoke-expression-interception + prerequisite_labs: ["3.8"] + tags: [powershell, debugging, deobfuscation] + + - id: "3.10" + section: 3 + title: "Examining Package.exe and iviewers.dll with PeStudio and x32dbg" + sample: "Package.exe, iviewers.dll" + analysis_type: code-analysis + tools_used: + - tool_id: fiddler + platform: windows + purpose: "Extract Package.exe from HTTP traffic" + - tool_id: pestudio + platform: windows + purpose: "Examine digital signature and PE properties" + - tool_id: x32dbg + platform: windows + purpose: "Debug DLL loading and CreateProcessW calls" + - tool_id: notepadpp + platform: windows + purpose: "View extracted PowerShell command parameters" + key_techniques: + - digital-signature-analysis + - dll-sideloading + - createprocess-breakpoints + - multi-stage-payload + prerequisite_labs: ["3.9"] + tags: [dll, debugging, digital-signature, sideloading] + + - id: "3.11" + section: 3 + title: "Decoding iubn.ps1 With Fiddler and PowerShell ISE" + sample: "iubn.ps1" + analysis_type: powershell-analysis + tools_used: + - tool_id: fiddler + platform: windows + purpose: "Extract PowerShell script from HTTP traffic" + - tool_id: notepadpp + platform: windows + purpose: "Initial script examination" + - tool_id: powershell-ise + platform: windows + purpose: "Debug and decode layered PowerShell" + key_techniques: + - powershell-debugging + - invoke-expression-interception + - out-file-extraction + - dotnet-assembly-download + prerequisite_labs: ["3.10"] + tags: [powershell, debugging, dotnet-loading] + + - id: "3.12" + section: 3 + title: "Analyzing rwvg1.exe and its Artifacts with ILSpy and CyberChef" + sample: "rwvg1.exe, ersyb.exe" + analysis_type: dotnet-analysis + tools_used: + - tool_id: fiddler + platform: windows + purpose: "Extract .NET assembly from HTTP traffic" + - tool_id: pestudio + platform: windows + purpose: "Confirm .NET assembly" + - tool_id: ilspy + platform: windows + purpose: "Decompile .NET to view C# source code" + - tool_id: cyberchef + platform: both + purpose: "Decode Base64 + XOR payload" + - tool_id: exeinfo-pe + platform: windows + purpose: "Identify second-stage .NET binary" + key_techniques: + - dotnet-decompilation + - runtime-compilation-analysis + - base64-xor-decoding + - csharpcodeprovider-analysis + prerequisite_labs: ["3.11"] + tags: [dotnet, decompilation, cyberchef, multi-stage] + + # ============================================================ + # SECTION 4: IN-DEPTH MALWARE ANALYSIS + # ============================================================ + + - id: "4.1" + section: 4 + title: "Assessing the Packed brbbot.exe File" + sample: "brbbot.exe (packed)" + analysis_type: unpacking + tools_used: + - tool_id: unzip + platform: linux + purpose: "Extract packed sample" + - tool_id: pestudio + platform: windows + purpose: "Examine entropy, sections, and packing indicators" + - tool_id: diec + platform: linux + purpose: "Identify packer (UPX detection)" + key_techniques: + - entropy-analysis + - section-examination + - packer-identification + tags: [packing, entropy, detection, triage] + + - id: "4.2" + section: 4 + title: "Dumping and Fixing brbbot.exe Using Scylla" + sample: "brbbot.exe (packed)" + analysis_type: unpacking + tools_used: + - tool_id: upx + platform: linux + purpose: "Attempt automated unpacking (fails — modified UPX)" + - tool_id: setdllcharacteristics + platform: windows + purpose: "Disable ASLR for consistent memory addresses" + - tool_id: system-informer + platform: windows + purpose: "Verify process is running after infection" + - tool_id: scylla + platform: windows + purpose: "Dump unpacked process from memory and fix IAT" + - tool_id: pestudio + platform: windows + purpose: "Verify dumped file is valid PE" + key_techniques: + - aslr-disabling + - process-dumping + - iat-reconstruction + - scylla-workflow + prerequisite_labs: ["4.1"] + tags: [unpacking, scylla, iat, memory-dump] + + - id: "4.3" + section: 4 + title: "Unpacking brbbot.exe by Using x64dbg and OllyDumpEx" + sample: "brbbot.exe (packed)" + analysis_type: unpacking + tools_used: + - tool_id: x64dbg + platform: windows + purpose: "Debug to locate unpacker JMP to OEP" + - tool_id: ollydumpex + platform: windows + purpose: "Dump unpacked process from within debugger" + - tool_id: scylla + platform: windows + purpose: "Fix IAT in dumped executable (as x64dbg plugin)" + key_techniques: + - oep-detection + - unpacker-breakpoints + - memory-dumping + - iat-fixing + prerequisite_labs: ["4.1"] + tags: [unpacking, debugger, oep, ollydumpex] + + - id: "4.4" + section: 4 + title: "Debugging the Packed Version of brbbot.exe" + sample: "brbbot.exe (packed)" + analysis_type: debugging + tools_used: + - tool_id: x64dbg + platform: windows + purpose: "Set hardware breakpoints on CryptDecrypt to analyze packed runtime behavior" + key_techniques: + - hardware-breakpoints + - api-interception + - packed-runtime-analysis + prerequisite_labs: ["4.1"] + tags: [debugging, packed-malware, hardware-breakpoints] + + - id: "4.5" + section: 4 + title: "Analyzing Multi-Technology Specimen PDFXCview.exe" + sample: "PDFXCview.exe" + analysis_type: code-analysis + tools_used: + - tool_id: system-informer + platform: windows + purpose: "Monitor process creation and child processes" + - tool_id: process-monitor + platform: windows + purpose: "Capture file system and registry activity" + - tool_id: procdot + platform: windows + purpose: "Visualize multi-stage execution" + - tool_id: regedit + platform: windows + purpose: "Examine registry keys created by malware" + - tool_id: reg-export + platform: windows + purpose: "Extract JavaScript stored in registry to file" + - tool_id: winscp + platform: windows + purpose: "Transfer artifacts to REMnux for analysis" + - tool_id: spidermonkey + platform: linux + purpose: "Deobfuscate JavaScript component" + - tool_id: js-beautify + platform: linux + purpose: "Format decoded JavaScript for readability" + - tool_id: visual-studio-code + platform: linux + purpose: "View and analyze decoded scripts" + - tool_id: base64dump-py + platform: linux + purpose: "Decode Base64-encoded payloads" + - tool_id: notepadpp + platform: windows + purpose: "View decoded scripts" + - tool_id: powershell-ise + platform: windows + purpose: "Debug PowerShell component" + key_techniques: + - multi-technology-analysis + - registry-based-malware + - fileless-techniques + - cross-platform-workflow + tags: [multi-stage, javascript, powershell, behavioral] + + - id: "4.6" + section: 4 + title: "Examining Capabilities of Shellcode Used by PDFXCview.exe" + sample: "Shellcode from PDFXCview.exe" + analysis_type: shellcode-analysis + tools_used: + - tool_id: scdbgc + platform: both + purpose: "Emulate shellcode to identify API calls" + - tool_id: runsc32 + platform: windows + purpose: "Execute shellcode for dynamic analysis" + - tool_id: x32dbg + platform: windows + purpose: "Debug shellcode execution and examine parameters" + key_techniques: + - shellcode-emulation + - shellcode-debugging + - api-parameter-analysis + prerequisite_labs: ["4.5"] + tags: [shellcode, emulation, debugging] + + - id: "4.7" + section: 4 + title: "Unpacking Shellcode That Was Used by PDFXCview.exe" + sample: "Shellcode from PDFXCview.exe" + analysis_type: shellcode-analysis + tools_used: + - tool_id: x32dbg + platform: windows + purpose: "Set breakpoints on VirtualAlloc to track memory allocation" + - tool_id: pestudio + platform: windows + purpose: "Verify dumped PE from allocated memory" + key_techniques: + - virtualalloc-breakpoints + - multi-stage-shellcode + - memory-dumping + prerequisite_labs: ["4.6"] + tags: [shellcode, unpacking, virtualalloc] + + - id: "4.8" + section: 4 + title: "Examining .NET Malware chatroom.exe" + sample: "chatroom.exe" + analysis_type: dotnet-analysis + tools_used: + - tool_id: unzip + platform: linux + purpose: "Extract sample" + - tool_id: peframe + platform: linux + purpose: "Identify as .NET with high entropy (packed)" + - tool_id: pestr + platform: linux + purpose: "Extract strings" + - tool_id: ilspycmd + platform: linux + purpose: "Decompile .NET assembly on command line" + - tool_id: visual-studio-code + platform: linux + purpose: "Search decompiled code for Assembly.Load" + - tool_id: dnspyex + platform: windows + purpose: "Debug .NET with breakpoints to extract in-memory assembly" + - tool_id: pestudio + platform: windows + purpose: "Examine dumped assembly" + - tool_id: ilspy + platform: windows + purpose: "Decompile dumped assembly" + - tool_id: de4dot + platform: windows + purpose: "Deobfuscate .NET assembly" + key_techniques: + - dotnet-decompilation + - reflective-loading-detection + - assembly-load-breakpoints + - in-memory-dumping + - dotnet-deobfuscation + tags: [dotnet, debugging, deobfuscation, reflective-loading] + + - id: "4.9" + section: 4 + title: "Examining Code Injection Capabilities of great.exe" + sample: "great.exe" + analysis_type: code-injection + tools_used: + - tool_id: ghidra + platform: windows + purpose: "Analyze CreateRemoteThread, VirtualAllocEx, and process enumeration code" + key_techniques: + - createremotethread-analysis + - virtualallocex-identification + - process-enumeration + - createtoolhelp32snapshot + prerequisite_labs: ["2.1"] + tags: [code-injection, api-analysis, ghidra] + + # ============================================================ + # SECTION 5: EXAMINING SELF-DEFENDING MALWARE + # ============================================================ + + - id: "5.1" + section: 5 + title: "Patching getdown.exe to Bypass Debugger Detection" + sample: "getdown.exe" + analysis_type: anti-analysis + tools_used: + - tool_id: wireshark + platform: linux + purpose: "Monitor network traffic" + - tool_id: system-informer + platform: windows + purpose: "Monitor process behavior" + - tool_id: x64dbg + platform: windows + purpose: "Identify and patch IsDebuggerPresent check" + key_techniques: + - isdebuggerpresent-bypass + - instruction-patching + - conditional-jump-modification + tags: [anti-debugging, patching, isdebuggerpresent] + + - id: "5.2" + section: 5 + title: "Deobfuscating Strings Encoded Using Simple and Common Algorithms" + sample: "getdown.exe, hubert.dll, 9.exe" + analysis_type: string-deobfuscation + tools_used: + - tool_id: unzip + platform: linux + purpose: "Extract samples" + - tool_id: xorsearch + platform: linux + purpose: "Search for XOR-encoded patterns" + - tool_id: strings + platform: linux + purpose: "Extract readable strings" + - tool_id: brxor-py + platform: linux + purpose: "Brute-force XOR key detection" + - tool_id: bbcrack + platform: linux + purpose: "Detect XOR/ROL/ADD obfuscation algorithms" + - tool_id: ghidra + platform: windows + purpose: "Analyze deobfuscation routines in code" + - tool_id: strdeob-pl + platform: linux + purpose: "Decode stack-built strings" + - tool_id: floss + platform: linux + purpose: "Automatically extract all obfuscated strings" + - tool_id: visual-studio-code + platform: linux + purpose: "View deobfuscation results" + key_techniques: + - xor-brute-forcing + - stack-string-decoding + - automated-string-extraction + - obfuscation-algorithm-identification + prerequisite_labs: ["2.1"] + tags: [strings, xor, deobfuscation, floss] + + - id: "5.3" + section: 5 + title: "Unpacking drtg.exe" + sample: "drtg.exe" + analysis_type: unpacking + tools_used: + - tool_id: unzip + platform: linux + purpose: "Extract sample" + - tool_id: floss + platform: linux + purpose: "Extract strings to assess packing" + - tool_id: visual-studio-code + platform: linux + purpose: "View FLOSS output" + - tool_id: x32dbg + platform: windows + purpose: "Debug with RtlDecompressBuffer breakpoints" + - tool_id: scyllahide + platform: windows + purpose: "Hide debugger from anti-debugging checks" + - tool_id: pestudio + platform: windows + purpose: "Verify unpacked dump" + key_techniques: + - rtldecompressbuffer-interception + - debugger-hiding + - exception-configuration + - memory-dumping + prerequisite_labs: ["5.2"] + tags: [unpacking, anti-debugging, decompression] + + - id: "5.4" + section: 5 + title: "Unpacking WinHost32.exe" + sample: "WinHost32.exe" + analysis_type: unpacking + tools_used: + - tool_id: unzip + platform: linux + purpose: "Extract sample" + - tool_id: capa + platform: linux + purpose: "Identify process hollowing capability" + - tool_id: ghidra + platform: windows + purpose: "Analyze CreateProcess(SUSPENDED), VirtualAllocEx, WriteProcessMemory" + - tool_id: x32dbg + platform: windows + purpose: "Set breakpoint on WriteProcessMemory to catch injected PE" + - tool_id: pestudio + platform: windows + purpose: "Verify dumped PE from process hollowing" + key_techniques: + - process-hollowing-detection + - create-suspended-analysis + - writeprocessmemory-breakpoints + - ntunmapviewofsection + prerequisite_labs: ["5.3"] + tags: [process-hollowing, code-injection, unpacking] + + - id: "5.5" + section: 5 + title: "Examining the Anti-Sandbox Defensive Capability of vbprop.exe" + sample: "vbprop.exe" + analysis_type: anti-analysis + tools_used: + - tool_id: ghidra + platform: windows + purpose: "Analyze SetWindowsHookExA for mouse event interception" + - tool_id: x32dbg + platform: windows + purpose: "Debug hook installation and handler" + key_techniques: + - setwindowshookex-analysis + - mouse-hook-detection + - sandbox-evasion + prerequisite_labs: ["2.1"] + tags: [anti-sandbox, hooks, evasion] + + - id: "5.6" + section: 5 + title: "Examining the Toolkit Detection Capabilities of raas.exe" + sample: "raas.exe" + analysis_type: anti-analysis + tools_used: + - tool_id: x32dbg + platform: windows + purpose: "Step through toolkit detection routines" + - tool_id: scyllahide + platform: windows + purpose: "Hide debugger from detection checks" + key_techniques: + - getmodulehandle-checks + - findwindow-checks + - process-enumeration + - registry-vm-detection + - blockinput-bypass + prerequisite_labs: ["2.1"] + tags: [anti-analysis, toolkit-detection, vm-detection] + + - id: "5.7" + section: 5 + title: "Understanding the SEH Defense in want.exe" + sample: "want.exe" + analysis_type: anti-analysis + tools_used: + - tool_id: x32dbg + platform: windows + purpose: "Analyze SEH chain setup and exception handler execution" + key_techniques: + - seh-manipulation + - exception-handler-analysis + - fs-segment-usage + - seh-breakpoints + prerequisite_labs: ["2.1"] + tags: [seh, anti-analysis, exception-handling] + + - id: "5.8" + section: 5 + title: "Unpacking want.exe Using a Stack Breakpoint" + sample: "want.exe" + analysis_type: unpacking + tools_used: + - tool_id: x32dbg + platform: windows + purpose: "Set stack breakpoint to detect unpacking completion" + - tool_id: ollydumpex + platform: windows + purpose: "Dump unpacked process from memory" + - tool_id: scylla + platform: windows + purpose: "Reconstruct IAT in dumped executable" + - tool_id: pestudio + platform: windows + purpose: "Verify unpacked PE" + key_techniques: + - stack-breakpoints + - oep-detection-via-stack + - memory-dumping + - iat-reconstruction + prerequisite_labs: ["5.7"] + tags: [unpacking, stack-breakpoint, seh] + + - id: "5.9" + section: 5 + title: "Bypassing Self-Defensive Measures in lansrv.exe" + sample: "lansrv.exe" + analysis_type: anti-analysis + tools_used: + - tool_id: pestudio + platform: windows + purpose: "Identify TLS callback in thread-local-storage section" + - tool_id: x32dbg + platform: windows + purpose: "Debug TLS callback, patch IsDebuggerPresent, fix GS segment override" + key_techniques: + - tls-callback-analysis + - isdebuggerpresent-bypass + - segment-register-patching + - xor-decoding-loop + - multi-defense-bypass + prerequisite_labs: ["2.1"] + tags: [tls-callback, anti-debugging, patching, multi-defense] + + - id: "5.10" + section: 5 + title: "Unpacking yep.exe with the Help of x32dbg and pe_unmapper" + sample: "yep.exe" + analysis_type: unpacking + tools_used: + - tool_id: pestudio + platform: windows + purpose: "Initial analysis — note gibberish strings indicating packing" + - tool_id: x32dbg + platform: windows + purpose: "Set breakpoints on LoadLibraryA and VirtualProtect" + - tool_id: xanalyzer + platform: windows + purpose: "Enhanced analysis showing API parameters" + - tool_id: pe-unmapper + platform: windows + purpose: "Convert virtual-aligned dump to raw alignment" + - tool_id: scylla + platform: windows + purpose: "Fix IAT in unmapped executable" + key_techniques: + - loadlibrary-breakpoints + - virtualprotect-breakpoints + - memory-region-dumping + - virtual-to-raw-alignment + - oep-anticipation + prerequisite_labs: ["5.8"] + tags: [unpacking, pe-unmapper, virtualprotect, loadlibrary] diff --git a/data/for610/recipes.yaml b/data/for610/recipes.yaml new file mode 100644 index 0000000..84db041 --- /dev/null +++ b/data/for610/recipes.yaml @@ -0,0 +1,402 @@ +# Multi-Tool Analysis Recipes +# These are pipe chains and multi-step commands that combine tools +# Each recipe is cross-referenced to all tools it uses + +recipes: + + # ============================================================ + # OFFICE DOCUMENT ANALYSIS + # ============================================================ + + - id: extract-base64-ps-from-vba + name: "Extract Base64 PowerShell from Office Macro" + task: "Get encoded PowerShell payload hidden in a VBA UserForm stream" + tools: [oledump-py, base64dump-py] + commands: + - "# List streams — find macro (M) and data streams" + - "oledump.py " + - "# Extract VBA source to understand what the macro does" + - "oledump.py -s -v" + - "# Scan data stream for Base64 strings" + - "oledump.py -s -d | base64dump.py -n 10" + - "# Decode the longest Base64 hit to file" + - "oledump.py -s -d | base64dump.py -s 1 -d > payload.ps1" + lab: "3.4" + + - id: vba-number-string-decode + name: "Decode VBA Number Arrays to Strings" + task: "Convert VBA macros that use Chr() number sequences into readable text" + tools: [oledump-py, numbers-to-string-py] + commands: + - "# Extract VBA and convert number sequences to text" + - "oledump.py -s -v | numbers-to-string.py -j" + - "# Same but with line-break formatting for readability" + - "oledump.py -s -v | numbers-to-string.py -j | sed 's/;/;\\n/g'" + lab: "3.3" + + - id: multi-stage-base64-gzip + name: "Decode Base64 + Gzip Payload" + task: "Handle double-encoded payloads: Base64 wrapping gzip-compressed content" + tools: [base64dump-py, gunzip] + commands: + - "# Find Base64 strings in the script" + - "base64dump.py -n 10" + - "# Decode Base64 and decompress gzip in one chain" + - "base64dump.py -s -d | gunzip > decoded.ps1" + lab: "3.4" + + - id: base64-xor-shellcode + name: "Decode Base64 + XOR Shellcode" + task: "Extract shellcode encoded as Base64 with an XOR key" + tools: [base64dump-py, translate-py] + commands: + - "# Find Base64 strings" + - "base64dump.py -n 10" + - "# Decode Base64, then XOR with key" + - "base64dump.py -s -d | translate.py 'byte ^ ' > shellcode.bin" + lab: "3.4" + + - id: office-full-decode-chain + name: "Full Office Macro Decode Chain" + task: "Complete pipeline: Office doc → VBA → Base64 → gunzip → XOR → shellcode" + tools: [oledump-py, base64dump-py, gunzip, translate-py, scdbgc] + commands: + - "# Step 1: List streams and extract VBA" + - "oledump.py " + - "oledump.py -s -v" + - "# Step 2: Extract Base64 from data stream" + - "oledump.py -s -d | base64dump.py -s 1 -d > stage1.ps1" + - "# Step 3: Decode second Base64 layer + decompress" + - "base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1" + - "# Step 4: XOR decode the shellcode" + - "base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin" + - "# Step 5: Emulate the shellcode" + - "scdbgc /f shellcode.bin /s -1" + lab: "3.4" + + - id: password-protected-office + name: "Decrypt Password-Protected Office Document" + task: "Remove password protection before analysis" + tools: [msoffcrypto-tool] + commands: + - "# Common malware passwords: infected, malware, password, 123456" + - "msoffcrypto-tool -p infected " + + - id: excel-xlm-macros + name: "Deobfuscate Excel 4.0 (XLM) Macros" + task: "Extract and decode legacy Excel macros hidden in sheets" + tools: [xlmmacrodeobfuscator] + commands: + - "# Deobfuscate XLM macros" + - "xlmdeobfuscator --file " + + - id: vba-pcode-decompile + name: "Recover VBA from p-code (source removed)" + task: "Decompile VBA when source code has been stripped, only p-code remains" + tools: [pcode2code, pcodedmp] + commands: + - "# Decompile p-code back to VBA source" + - "pcode2code " + - "# Or disassemble p-code to assembly" + - "pcodedmp " + + # ============================================================ + # RTF DOCUMENT ANALYSIS + # ============================================================ + + - id: rtf-shellcode-extraction + name: "Extract Shellcode from RTF Document" + task: "Find and extract embedded shellcode from a malicious RTF file" + tools: [rtfdump-py, xorsearch, scdbgc] + commands: + - "# Scan RTF structure — look for groups with lots of hex data" + - "rtfdump.py " + - "# Extract the hex-heavy group as binary" + - "rtfdump.py -s -H -d > extracted.bin" + - "# Scan for shellcode patterns (even XOR-encoded)" + - "XORSearch -W -d 3 extracted.bin" + - "# Emulate shellcode at found offset" + - "scdbgc /f extracted.bin /foff /s -1" + lab: "3.5" + + # ============================================================ + # PDF ANALYSIS + # ============================================================ + + - id: pdf-object-extraction + name: "Extract Embedded Object from PDF" + task: "Pull out an embedded image, JavaScript, or file from a PDF object" + tools: [pdfid-py, pdf-parser-py, feh] + commands: + - "# Scan for suspicious keywords" + - "pdfid.py " + - "# Find objects containing the keyword" + - "pdf-parser.py -s /URI" + - "# Extract all values for that keyword" + - "pdf-parser.py -k /URI" + - "# Dump a specific object to file" + - "pdf-parser.py -o -d extracted_object" + - "# View extracted image" + - "feh extracted_object &" + lab: "3.1" + + - id: pdf-javascript-extraction + name: "Extract JavaScript from PDF" + task: "Find and extract embedded JavaScript from a PDF file" + tools: [pdfid-py, pdf-parser-py, peepdf] + commands: + - "# Check if PDF contains JavaScript" + - "pdfid.py " + - "# Find objects with JavaScript" + - "pdf-parser.py -s /JavaScript" + - "# Interactive analysis with peepdf" + - "peepdf -i " + + # ============================================================ + # JAVASCRIPT DEOBFUSCATION + # ============================================================ + + - id: js-deobfuscation-spidermonkey + name: "Deobfuscate JavaScript with SpiderMonkey" + task: "Execute obfuscated JS safely using SpiderMonkey with API simulation" + tools: [js-beautify, spidermonkey] + commands: + - "# Beautify compressed JavaScript" + - "js-beautify > readable.js" + - "# Execute with objects.js to simulate browser/WScript APIs" + - "js -f /usr/share/remnux/objects.js -f > decoded.js" + - "# If script expects location.href, edit objects.js first:" + - "cp /usr/share/remnux/objects.js ." + - "# Edit objects.js to set: location = { href: 'http://expected-url' }" + - "js -f objects.js -f > decoded.js" + lab: "3.6, 3.7" + + - id: js-null-byte-cleanup + name: "Clean Null Bytes from UTF-16 JavaScript" + task: "Remove null byte padding from UTF-16 encoded JavaScript before analysis" + tools: [spidermonkey] + commands: + - "# Check for null bytes (look for 00 in hex)" + - "xxd | head -2" + - "# Remove null bytes" + - "cat | tr -d '\\00' > clean.js" + - "# Then deobfuscate" + - "js -f /usr/share/remnux/objects.js -f clean.js > decoded.js" + - "# Beautify the result" + - "js-beautify decoded.js > final.js" + lab: "4.5" + + # ============================================================ + # SHELLCODE ANALYSIS + # ============================================================ + + - id: shellcode-emulate-with-offset + name: "Emulate Shellcode at Specific Offset" + task: "Run shellcode that starts at an offset within a larger binary" + tools: [scdbgc] + commands: + - "# Emulate from file start" + - "scdbgc /f /s -1" + - "# Emulate from specific offset (hex)" + - "scdbgc /f /foff /s -1" + - "# Emulate with a file handle pre-opened (for exploits)" + - "scdbgc /f /foff /fopen /s -1" + lab: "3.5, 4.6" + + - id: cobalt-strike-beacon-parse + name: "Parse Cobalt Strike Beacon Configuration" + task: "Extract C2 config from a Cobalt Strike beacon or shellcode" + tools: [1768-py, yara] + commands: + - "# Scan with YARA for CS signatures" + - "yara-rules " + - "# Extract beacon configuration" + - "1768.py " + lab: "3.4" + + - id: shellcode-to-exe + name: "Convert Shellcode to Executable" + task: "Wrap raw shellcode in a PE for analysis in disassemblers" + tools: [shcode2exe] + commands: + - "# Convert 32-bit shellcode to EXE" + - "shcode2exe " + + # ============================================================ + # STRING DEOBFUSCATION + # ============================================================ + + - id: xor-key-brute-force + name: "Brute-Force XOR Key" + task: "Find the XOR key used to encode strings in a binary" + tools: [brxor-py, bbcrack, xorsearch, xortool] + commands: + - "# Quick check for XOR-encoded URLs/PE headers" + - "XORSearch http:" + - "# Brute-force single-byte XOR keys" + - "brxor.py " + - "# Try XOR, ROL, ADD combinations" + - "bbcrack -l 1 " + - "# Guess multi-byte XOR key length and value" + - "xortool " + - "# Decode with known key" + - "xortool-xor -s '' -i -o " + lab: "5.2" + + - id: stack-string-extraction + name: "Extract Stack-Built Strings" + task: "Decode strings assembled byte-by-byte on the stack" + tools: [strdeob-pl, floss] + commands: + - "# Automatic stack string recovery" + - "strdeob.pl " + - "# FLOSS automatic deobfuscation (static + stack + decoded)" + - "floss " + - "# FLOSS skip static strings, only show decoded" + - "floss --no-static -- " + lab: "5.2" + + - id: cyberchef-xor-decode + name: "Visual XOR/Base64 Decode with CyberChef" + task: "Use CyberChef's recipe builder for multi-step decoding" + tools: [cyberchef] + commands: + - "# Launch CyberChef" + - "cyberchef" + - "# Common recipe: From Hex → XOR (key) → extract strings" + - "# Common recipe: From Base64 → Decode text UTF-16LE" + + # ============================================================ + # MALWARE EMULATION & CAPABILITY ANALYSIS + # ============================================================ + + - id: speakeasy-emulation-with-json + name: "Emulate Malware and Extract API Calls" + task: "Emulate a Windows binary on Linux and analyze its API usage" + tools: [speakeasy, jq] + commands: + - "# Emulate and capture both JSON report and text log" + - "speakeasy -t -o report.json 2> report.txt" + - "# Extract all API names called" + - "jq '.entry_points[].apis[].api_name' report.json" + - "# Extract unique API names" + - "jq -r '.entry_points[].apis[].api_name' report.json | sort -u" + lab: "1.4" + + - id: capa-capability-filter + name: "Filter Capabilities by Technique" + task: "Find specific capabilities in capa output" + tools: [capa] + commands: + - "# Full capabilities report" + - "capa " + - "# Verbose with rule matches" + - "capa -vv " + - "# Filter for specific technique" + - "capa -vv | grep -A7 ''" + - "# Find injection-related capabilities" + - "capa -vv | grep -A7 'inject\\|hollow\\|suspend'" + lab: "1.4, 5.4" + + # ============================================================ + # NETWORK ANALYSIS + # ============================================================ + + - id: pcap-file-carving + name: "Extract Files from Network Capture" + task: "Carve downloaded payloads and exfiltrated data from PCAP" + tools: [tcpxtract, tcpflow, networkminer] + commands: + - "# Carve files using signatures" + - "tcpxtract -f -o carved/" + - "# Extract individual TCP streams" + - "tcpflow -r -o streams/" + - "# Or use NetworkMiner for automated extraction" + - "NetworkMiner --pcap " + + - id: dns-interception-setup + name: "Set Up DNS + HTTP Interception" + task: "Redirect all malware DNS queries and serve fake HTTP responses" + tools: [fakedns, httpd, inetsim] + commands: + - "# Option A: Simple DNS + HTTP" + - "fakedns &" + - "httpd &" + - "# Option B: Full service emulation (HTTP, HTTPS, DNS, FTP, SMTP)" + - "inetsim" + - "# Verify DNS is working" + - "nslookup anything.com" + - "# Redirect hardcoded IPs too" + - "iptables -t nat -A PREROUTING -i eth0 -j REDIRECT" + + # ============================================================ + # .NET ANALYSIS + # ============================================================ + + - id: dotnet-decompile-cli + name: "Decompile .NET on Command Line" + task: "Decompile a .NET assembly to C# source on REMnux" + tools: [ilspycmd, de4dot] + commands: + - "# Decompile to C# source" + - "ilspycmd > source.cs" + - "# Search for suspicious patterns" + - "grep -n 'Assembly.Load\\|WebClient\\|Process.Start' source.cs" + - "# If obfuscated, deobfuscate first" + - "de4dot " + - "ilspycmd > source_clean.cs" + lab: "4.8" + + # ============================================================ + # MEMORY FORENSICS + # ============================================================ + + - id: volatility-quick-triage + name: "Quick Memory Dump Triage" + task: "Fast initial assessment of a memory dump" + tools: [volatility3] + commands: + - "# Identify OS" + - "vol3 -f windows.info" + - "# Process tree (spot anomalies)" + - "vol3 -f windows.pstree" + - "# Network connections" + - "vol3 -f windows.netscan" + - "# Injected code detection" + - "vol3 -f windows.malfind" + + # ============================================================ + # ANDROID ANALYSIS + # ============================================================ + + - id: apk-quick-triage + name: "Quick APK Triage" + task: "Fast initial assessment of a suspicious Android app" + tools: [apkid, apktool, jadx] + commands: + - "# Check for packers/obfuscators" + - "apkid " + - "# Decompile to smali + resources" + - "apktool d -o output/" + - "# Check permissions" + - "grep 'uses-permission' output/AndroidManifest.xml" + - "# Decompile to Java source" + - "jadx -d src/" + + # ============================================================ + # EMAIL ANALYSIS + # ============================================================ + + - id: email-attachment-extraction + name: "Extract and Triage Email Attachments" + task: "Pull attachments from an email and identify their types" + tools: [emldump-py, file, sha256sum] + commands: + - "# List email structure" + - "emldump.py " + - "# Extract all attachments" + - "emldump.py -d" + - "# Identify file types" + - "file attachment_*" + - "# Compute hashes for lookup" + - "sha256sum attachment_*" diff --git a/data/for610/tools.yaml b/data/for610/tools.yaml new file mode 100644 index 0000000..6b64afb --- /dev/null +++ b/data/for610/tools.yaml @@ -0,0 +1,1687 @@ +# FOR610 Master Tool Catalog +# Comprehensive inventory of all tools referenced in SANS FOR610 course +# Each tool includes platform, availability, lab references, and usage examples + +tools: + + # ============================================================ + # PDF ANALYSIS + # ============================================================ + + - id: pdfid-py + name: "pdfid.py" + aliases: ["pdfid"] + description: "Scan PDF files for suspicious keywords like /JavaScript, /OpenAction, /Launch without parsing" + category: pdf-analysis + platform: linux + in_remnux: true + author: "Didier Stevens" + labs: ["3.1"] + typical_usage: + - "pdfid.py document.pdf" + - "pdfid.py -n document.pdf" + for610_sections: [1, 3] + tags: [pdf, static-analysis, triage, didier-stevens] + + - id: pdf-parser-py + name: "pdf-parser.py" + aliases: ["pdf-parser"] + description: "Parse PDF structure, locate objects, extract content, and search for strings" + category: pdf-analysis + platform: linux + in_remnux: true + author: "Didier Stevens" + labs: ["3.1"] + typical_usage: + - "pdf-parser.py document.pdf -a" + - "pdf-parser.py document.pdf -s /URI" + - "pdf-parser.py document.pdf -k /URI" + - "pdf-parser.py document.pdf -o 6 -d object6.jpg" + for610_sections: [1, 3] + tags: [pdf, static-analysis, object-extraction, didier-stevens] + + - id: peepdf + name: "peepdf" + aliases: [] + description: "Interactive PDF analysis framework with JavaScript detection and exploitation capabilities" + category: pdf-analysis + platform: linux + in_remnux: true + labs: [] + typical_usage: + - "peepdf -i malicious.pdf" + - "peepdf -f -i malicious.pdf" + for610_sections: [1] + tags: [pdf, interactive, javascript-detection] + + - id: pdftool-py + name: "pdftool.py" + aliases: [] + description: "Analyze PDF incremental updates" + category: pdf-analysis + platform: linux + in_remnux: true + author: "Didier Stevens" + labs: [] + typical_usage: + - "pdftool.py document.pdf" + for610_sections: [1] + tags: [pdf, didier-stevens] + + - id: pdfresurrect + name: "pdfresurrect" + aliases: [] + description: "Extract and analyze previous versions from PDF files" + category: pdf-analysis + platform: linux + in_remnux: true + labs: [] + typical_usage: + - "pdfresurrect document.pdf" + for610_sections: [1] + tags: [pdf, versioning] + + - id: qpdf + name: "qpdf" + aliases: [] + description: "Decrypt, linearize, and transform PDF files — useful for removing password protection" + category: pdf-analysis + platform: linux + in_remnux: true + labs: [] + typical_usage: + - "qpdf --decrypt encrypted.pdf output.pdf" + for610_sections: [3] + tags: [pdf, decryption, transformation] + + - id: pdftk + name: "pdftk" + aliases: [] + description: "Manipulate PDF files — merge, split, flatten, encrypt, and extract embedded content" + category: pdf-analysis + platform: linux + in_remnux: true + labs: [] + typical_usage: + - "pdftk input.pdf cat output output.pdf flatten" + - "pdftk input.pdf unpack_files" + for610_sections: [3] + tags: [pdf, manipulation, extraction] + + # ============================================================ + # DOCUMENT & MACRO ANALYSIS + # ============================================================ + + - id: oledump-py + name: "oledump.py" + aliases: ["oledump"] + description: "Analyze OLE2 files (Office documents), extract streams and VBA macros" + category: document-analysis + platform: linux + in_remnux: true + author: "Didier Stevens" + labs: ["3.3", "3.4", "4.5"] + typical_usage: + - "oledump.py document.docm" + - "oledump.py document.docm -s A3 -v" + - "oledump.py document.docm -i" + for610_sections: [3, 4] + tags: [office, vba, macro, ole, didier-stevens] + + - id: olevba + name: "olevba" + aliases: [] + description: "Extract and analyze VBA macros from Office documents with deobfuscation" + category: document-analysis + platform: linux + in_remnux: true + labs: [] + typical_usage: + - "olevba document.docm" + - "olevba --deobf document.docm" + for610_sections: [3] + tags: [office, vba, macro, deobfuscation] + + - id: evilclippy + name: "evilclippy" + aliases: [] + description: "Remove VBA project password protection and manipulate Office macro settings" + category: document-analysis + platform: both + in_remnux: true + labs: [] + typical_usage: + - "evilclippy -uu document.docm" + for610_sections: [3] + tags: [office, vba, password-removal] + + - id: rtfdump-py + name: "rtfdump.py" + aliases: ["rtfdump"] + description: "Analyze RTF file structure, identify hex-encoded groups and embedded objects" + category: document-analysis + platform: linux + in_remnux: true + author: "Didier Stevens" + labs: ["3.5"] + typical_usage: + - "rtfdump.py document.rtf" + - "rtfdump.py document.rtf -s 5 -H -d > extracted.bin" + for610_sections: [3] + tags: [rtf, document, didier-stevens] + + - id: base64dump-py + name: "base64dump.py" + aliases: ["base64dump"] + description: "Extract and decode Base64-encoded strings from files" + category: document-analysis + platform: linux + in_remnux: true + author: "Didier Stevens" + labs: ["3.4", "4.5"] + typical_usage: + - "base64dump.py file.txt" + - "base64dump.py file.ps1 -n 10" + - "base64dump.py file.ps1 -s 2 -d" + for610_sections: [3, 4] + tags: [base64, decoding, didier-stevens] + + - id: emldump-py + name: "emldump.py" + aliases: ["emldump"] + description: "Parse and analyze EML email message files" + category: document-analysis + platform: linux + in_remnux: true + author: "Didier Stevens" + labs: [] + typical_usage: + - "emldump.py message.eml" + for610_sections: [3] + tags: [email, eml, didier-stevens] + + - id: zipdump-py + name: "zipdump.py" + aliases: ["zipdump"] + description: "Parse and analyze ZIP archive structure" + category: document-analysis + platform: linux + in_remnux: true + author: "Didier Stevens" + labs: [] + typical_usage: + - "zipdump.py archive.zip" + for610_sections: [3] + tags: [zip, archive, didier-stevens] + + - id: numbers-to-string-py + name: "numbers-to-string.py" + aliases: [] + description: "Convert sequences of decimal numbers to readable characters" + category: document-analysis + platform: linux + in_remnux: true + author: "Didier Stevens" + labs: ["3.3"] + typical_usage: + - "oledump.py doc.docm -s A3 -v | numbers-to-string.py -j" + for610_sections: [3] + tags: [decoding, deobfuscation, didier-stevens] + + - id: translate-py + name: "translate.py" + aliases: [] + description: "Transform data using Python expressions (XOR, ADD, etc.)" + category: document-analysis + platform: linux + in_remnux: true + author: "Didier Stevens" + labs: ["3.4"] + typical_usage: + - "translate.py \"byte ^ 35\" < input.bin > output.bin" + for610_sections: [3] + tags: [xor, transformation, decoding, didier-stevens] + + # ============================================================ + # STATIC ANALYSIS (PE) + # ============================================================ + + - id: pestudio + name: "PeStudio" + aliases: [] + description: "GUI tool for examining static properties of PE files — imports, strings, sections, entropy, indicators" + category: static-analysis-pe + platform: windows + in_remnux: false + labs: ["1.1", "1.5", "2.7", "3.10", "3.12", "4.1", "4.2", "4.3", "4.7", "4.8", "5.3", "5.4", "5.8", "5.9", "5.10"] + typical_usage: + - "pestudio.exe specimen.exe" + for610_sections: [1, 2, 3, 4, 5] + tags: [pe, static-analysis, imports, strings, entropy, triage] + + - id: peframe + name: "peframe" + aliases: [] + description: "Static analysis of PE files — extract properties, detect anomalies, identify packers" + category: static-analysis-pe + platform: linux + in_remnux: true + labs: ["1.1", "4.8"] + typical_usage: + - "peframe specimen.exe" + for610_sections: [1, 4] + tags: [pe, static-analysis, triage] + + - id: pestr + name: "pestr" + aliases: [] + description: "Extract ASCII and Unicode strings from PE files" + category: static-analysis-pe + platform: linux + in_remnux: true + labs: ["1.1", "4.8"] + typical_usage: + - "pestr specimen.exe" + for610_sections: [1, 4] + tags: [pe, strings, static-analysis] + + - id: strings + name: "strings" + aliases: [] + description: "Extract printable ASCII and Unicode strings from binary files" + category: static-analysis-pe + platform: linux + in_remnux: true + labs: ["3.4", "5.2"] + typical_usage: + - "strings binary.exe" + - "strings -n 10 binary.exe" + - "strings --encoding=l binary.exe" + for610_sections: [1, 3] + tags: [strings, static-analysis, triage] + + - id: bytehist + name: "Bytehist" + aliases: [] + description: "Generate byte-usage histograms to visually identify packed or encrypted sections in binaries" + category: static-analysis-pe + platform: both + in_remnux: true + labs: [] + typical_usage: + - "bytehist specimen.exe" + for610_sections: [1, 4] + tags: [pe, entropy, packing-detection, histogram] + + - id: diec + name: "diec" + aliases: ["Detect It Easy", "DIE"] + description: "Detect packers, compilers, and tools used to create executables" + category: static-analysis-pe + platform: both + in_remnux: true + labs: ["4.1"] + typical_usage: + - "diec specimen.exe" + for610_sections: [1, 4] + tags: [pe, packer-detection, compiler-detection] + + - id: exeinfo-pe + name: "ExeInfo PE" + aliases: ["ExeInfoPE", "ExeInfo"] + description: "Identify tools and packers used to create PE executables" + category: static-analysis-pe + platform: windows + in_remnux: false + labs: ["3.12"] + typical_usage: + - "ExeInfoPE.exe specimen.exe" + for610_sections: [1, 3] + tags: [pe, packer-detection] + + - id: cff-explorer + name: "CFF Explorer" + aliases: [] + description: "View and edit PE file headers, sections, imports, and resources" + category: static-analysis-pe + platform: windows + in_remnux: false + labs: [] + typical_usage: + - "CFF Explorer specimen.exe" + for610_sections: [1] + tags: [pe, header-editing, resources] + + - id: file + name: "file" + aliases: [] + description: "Determine file type and MIME type using magic bytes" + category: static-analysis-pe + platform: linux + in_remnux: true + labs: ["3.4", "3.5"] + typical_usage: + - "file specimen.exe" + - "file document.doc" + for610_sections: [3] + tags: [file-identification, triage] + + - id: trid + name: "trid" + aliases: [] + description: "Identify file type by scanning binary signatures database" + category: static-analysis-pe + platform: linux + in_remnux: true + labs: ["3.3", "3.4"] + typical_usage: + - "trid document.doc" + for610_sections: [3] + tags: [file-identification, triage] + + - id: exiftool + name: "exiftool" + aliases: [] + description: "Extract metadata from files (PDF, images, documents, executables)" + category: static-analysis-pe + platform: linux + in_remnux: true + labs: [] + typical_usage: + - "exiftool document.pdf" + - "exiftool specimen.exe" + for610_sections: [1] + tags: [metadata, triage] + + # ============================================================ + # BEHAVIORAL ANALYSIS + # ============================================================ + + - id: system-informer + name: "System Informer" + aliases: ["Process Hacker"] + description: "Monitor processes, network connections, handles, and system resources in real time" + category: behavioral-analysis + platform: windows + in_remnux: false + labs: ["1.2", "1.3", "1.6", "1.7", "1.8", "4.2", "4.5", "5.1"] + typical_usage: + - "SystemInformer.exe" + for610_sections: [1, 4, 5] + tags: [process-monitoring, handles, network, real-time] + + - id: process-monitor + name: "Process Monitor" + aliases: ["ProcMon", "procmon"] + description: "Record file system, registry, process, and thread activity in real time" + category: behavioral-analysis + platform: windows + in_remnux: false + labs: ["1.2", "4.5"] + typical_usage: + - "Procmon.exe" + for610_sections: [1, 4] + tags: [filesystem, registry, process-monitoring, real-time] + + - id: regshot + name: "Regshot" + aliases: [] + description: "Take and compare registry/filesystem snapshots before and after infection" + category: behavioral-analysis + platform: windows + in_remnux: false + labs: ["1.2"] + typical_usage: + - "Regshot-x64-Unicode.exe" + for610_sections: [1] + tags: [registry, filesystem, snapshot, comparison] + + - id: procdot + name: "ProcDOT" + aliases: [] + description: "Visualize Process Monitor logs as interactive graphs for behavioral analysis" + category: behavioral-analysis + platform: both + in_remnux: true + labs: ["1.2", "4.5"] + typical_usage: + - "procdot" + for610_sections: [1, 4] + tags: [visualization, process-monitor, behavioral] + + - id: autoruns + name: "Autoruns" + aliases: [] + description: "View and manage all autostart locations — startup programs, services, drivers, scheduled tasks" + category: behavioral-analysis + platform: windows + in_remnux: false + labs: [] + typical_usage: + - "Autoruns.exe" + for610_sections: [1] + tags: [persistence, autostart, startup] + + - id: api-monitor + name: "API Monitor" + aliases: [] + description: "Monitor and record API calls made by processes" + category: behavioral-analysis + platform: windows + in_remnux: false + labs: [] + typical_usage: + - "apimonitor-x64.exe" + for610_sections: [1] + tags: [api-calls, monitoring, dynamic-analysis] + + - id: tcplogview + name: "TcpLogView" + aliases: [] + description: "Log opened and closed TCP connections with process information" + category: behavioral-analysis + platform: windows + in_remnux: false + labs: [] + typical_usage: + - "TcpLogView.exe" + for610_sections: [1] + tags: [network, tcp, connection-logging] + + # ============================================================ + # NETWORK ANALYSIS & INTERCEPTION + # ============================================================ + + - id: wireshark + name: "Wireshark" + aliases: [] + description: "GUI network protocol analyzer for capturing and inspecting packet-level traffic" + category: network-analysis + platform: both + in_remnux: true + labs: ["1.2", "1.3", "1.6", "1.7", "1.8", "5.1"] + typical_usage: + - "wireshark" + - "wireshark -r capture.pcap" + for610_sections: [1, 5] + tags: [packet-capture, protocol-analysis, network] + + - id: tshark + name: "tshark" + aliases: [] + description: "Command-line interface to Wireshark for packet capture and analysis" + category: network-analysis + platform: both + in_remnux: true + labs: [] + typical_usage: + - "tshark -r capture.pcap" + - "tshark -i eth0 -w capture.pcap" + for610_sections: [1] + tags: [packet-capture, cli, network] + + - id: tcpdump + name: "tcpdump" + aliases: [] + description: "Command-line packet capture tool" + category: network-analysis + platform: linux + in_remnux: true + labs: [] + typical_usage: + - "tcpdump -i eth0 -w capture.pcap" + - "tcpdump -r capture.pcap" + for610_sections: [1] + tags: [packet-capture, cli, network] + + - id: fiddler + name: "Fiddler" + aliases: [] + description: "HTTP/HTTPS debugging proxy for intercepting, inspecting, and modifying web traffic" + category: network-analysis + platform: windows + in_remnux: false + labs: ["3.2", "3.8", "3.9", "3.10", "3.11", "3.12", "4.5"] + typical_usage: + - "Fiddler.exe" + for610_sections: [3, 4] + tags: [http, https, proxy, web-traffic] + + - id: fakedns + name: "fakedns" + aliases: [] + description: "Fake DNS server that resolves all queries to a specified IP for traffic interception" + category: network-analysis + platform: linux + in_remnux: true + labs: ["1.3", "1.6", "1.7", "1.8"] + typical_usage: + - "fakedns" + for610_sections: [1] + tags: [dns, spoofing, interception, lab-setup] + + - id: inetsim + name: "INetSim" + aliases: [] + description: "Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for malware analysis in isolated labs" + category: network-analysis + platform: linux + in_remnux: true + labs: ["1.7"] + typical_usage: + - "inetsim" + for610_sections: [1] + tags: [service-emulation, network-simulation, lab-setup] + + - id: httpd + name: "httpd" + aliases: ["accept-all-ips"] + description: "Simple HTTP server on REMnux for simulating C2 web servers" + category: network-analysis + platform: linux + in_remnux: true + labs: ["1.3", "1.6", "1.8"] + typical_usage: + - "httpd" + for610_sections: [1] + tags: [http, web-server, c2-simulation, lab-setup] + + - id: iptables + name: "iptables" + aliases: [] + description: "Linux firewall and NAT tool for redirecting IP-based malware traffic" + category: network-analysis + platform: linux + in_remnux: true + labs: ["1.8"] + typical_usage: + - "iptables -t nat -A PREROUTING -i ens32 -j REDIRECT" + for610_sections: [1] + tags: [firewall, nat, traffic-redirection] + + - id: netcat + name: "nc" + aliases: ["netcat"] + description: "Network utility for reading/writing data across TCP/UDP connections" + category: network-analysis + platform: both + in_remnux: true + labs: [] + typical_usage: + - "nc -l -p 3127" + - "nc target_ip 80" + for610_sections: [1] + tags: [network, tcp, listener] + + - id: nslookup + name: "nslookup" + aliases: [] + description: "DNS query tool for testing name resolution" + category: network-analysis + platform: both + in_remnux: true + labs: ["1.3"] + typical_usage: + - "nslookup domain.com" + for610_sections: [1] + tags: [dns, testing] + + - id: thug + name: "Thug" + aliases: [] + description: "Low-interaction honeyclient for analyzing malicious websites and drive-by downloads" + category: network-analysis + platform: linux + in_remnux: true + labs: [] + typical_usage: + - "thug -u win7chrome49 http://suspicious-site.com" + for610_sections: [3] + tags: [honeyclient, web-analysis, drive-by] + + - id: burp-suite + name: "Burp Suite" + aliases: ["Burp"] + description: "Web application security proxy for intercepting and modifying HTTP/HTTPS traffic" + category: network-analysis + platform: both + in_remnux: false + labs: [] + typical_usage: + - "burpsuite" + for610_sections: [3] + tags: [http, https, proxy, web-security] + + - id: torsocks + name: "torsocks" + aliases: [] + description: "Route network traffic through the Tor anonymity network" + category: network-analysis + platform: linux + in_remnux: true + labs: [] + typical_usage: + - "torsocks curl http://example.onion" + for610_sections: [1] + tags: [tor, anonymity, network-routing] + + # ============================================================ + # CODE ANALYSIS & DISASSEMBLY + # ============================================================ + + - id: ghidra + name: "Ghidra" + aliases: [] + description: "Open-source disassembler and decompiler from NSA with scripting, function graphs, and data type management" + category: code-analysis + platform: both + in_remnux: true + labs: ["2.1", "2.2", "2.3", "2.4", "2.5", "2.6", "2.7", "2.8", "4.9", "5.2", "5.4", "5.5", "5.6", "5.7", "5.9"] + typical_usage: + - "ghidra" + for610_sections: [2, 4, 5] + tags: [disassembly, decompilation, code-analysis, function-graph] + + - id: ida + name: "IDA" + aliases: ["IDA Pro", "IDA Freeware"] + description: "Commercial interactive disassembler and debugger from Hex-Rays" + category: code-analysis + platform: both + in_remnux: false + labs: [] + typical_usage: + - "ida64.exe specimen.exe" + for610_sections: [2] + tags: [disassembly, decompilation, commercial] + + - id: binary-ninja + name: "Binary Ninja" + aliases: [] + description: "Commercial disassembler with strong automated analysis and scripting" + category: code-analysis + platform: both + in_remnux: false + labs: [] + typical_usage: + - "binaryninja specimen.exe" + for610_sections: [2] + tags: [disassembly, commercial] + + - id: cutter + name: "Cutter" + aliases: [] + description: "Open-source reverse engineering platform — Qt-based GUI for radare2" + category: code-analysis + platform: both + in_remnux: true + labs: [] + typical_usage: + - "cutter specimen.exe" + for610_sections: [2] + tags: [disassembly, radare2, open-source] + + - id: radare2 + name: "radare2" + aliases: ["r2"] + description: "Open-source reverse engineering command-line framework" + category: code-analysis + platform: both + in_remnux: true + labs: [] + typical_usage: + - "r2 specimen.exe" + for610_sections: [2] + tags: [disassembly, cli, open-source] + + # ============================================================ + # DEBUGGING + # ============================================================ + + - id: x64dbg + name: "x64dbg" + aliases: [] + description: "Open-source 64-bit debugger for dynamic malware analysis — breakpoints, memory inspection, patching" + category: debugging + platform: windows + in_remnux: false + labs: ["1.5", "4.3", "4.4", "5.1"] + typical_usage: + - "x64dbg.exe specimen.exe" + for610_sections: [1, 4, 5] + tags: [debugger, 64-bit, dynamic-analysis, breakpoints] + + - id: x32dbg + name: "x32dbg" + aliases: [] + description: "Open-source 32-bit debugger for dynamic malware analysis — breakpoints, memory inspection, patching" + category: debugging + platform: windows + in_remnux: false + labs: ["3.5", "3.10", "4.6", "4.7", "5.3", "5.4", "5.5", "5.6", "5.7", "5.8", "5.9", "5.10"] + typical_usage: + - "x32dbg.exe specimen.exe" + for610_sections: [3, 4, 5] + tags: [debugger, 32-bit, dynamic-analysis, breakpoints] + + - id: ollydbg + name: "OllyDbg" + aliases: [] + description: "Classic 32-bit debugger for Windows (legacy, predecessor to x32dbg)" + category: debugging + platform: windows + in_remnux: false + labs: [] + typical_usage: + - "ollydbg.exe specimen.exe" + for610_sections: [4, 5] + tags: [debugger, 32-bit, legacy] + + - id: windbg + name: "WinDbg" + aliases: [] + description: "Microsoft Windows debugger for kernel and user-mode debugging" + category: debugging + platform: windows + in_remnux: false + labs: [] + typical_usage: + - "windbg.exe specimen.exe" + for610_sections: [2] + tags: [debugger, kernel, microsoft] + + # ============================================================ + # EMULATION & SANDBOXING + # ============================================================ + + - id: speakeasy + name: "speakeasy" + aliases: [] + description: "Windows binary emulator — emulates API calls to analyze malware behavior without native execution" + category: emulation + platform: linux + in_remnux: true + labs: ["1.4"] + typical_usage: + - "speakeasy -t specimen.exe -o report.json 2> report.txt" + - "speakeasy -t shellcode.bin -r -a x86" + for610_sections: [1] + tags: [emulation, api-calls, behavioral-analysis] + + - id: scdbgc + name: "scdbgc" + aliases: ["scdbg"] + description: "Shellcode emulator — analyze shellcode behavior through API-level emulation" + category: emulation + platform: both + in_remnux: true + labs: ["3.4", "3.5", "4.6"] + typical_usage: + - "scdbgc /f shellcode.bin /s -1" + - "scdbgc /f shellcode.bin /foff 0x3B /fopen qa.doc" + - "scdbgc /f shellcode.bin /s -1 /norw" + for610_sections: [3, 4] + tags: [shellcode, emulation, api-calls] + + - id: runsc32 + name: "runsc32" + aliases: ["runsc"] + description: "Execute extracted shellcode for dynamic analysis" + category: emulation + platform: windows + in_remnux: false + labs: ["3.5", "4.6"] + typical_usage: + - "runsc32 -f shellcode.bin -o 0x3B -d qa.doc" + for610_sections: [3, 4] + tags: [shellcode, execution, dynamic-analysis] + + - id: box-js + name: "box-js" + aliases: [] + description: "JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript APIs" + category: emulation + platform: linux + in_remnux: true + labs: [] + typical_usage: + - "box-js --output-dir=/tmp suspicious.js" + for610_sections: [3] + tags: [javascript, sandbox, emulation] + + # ============================================================ + # UNPACKING & DUMPING + # ============================================================ + + - id: upx + name: "UPX" + aliases: ["upx"] + description: "Universal Packer for eXecutables — compress and decompress PE files" + category: unpacking + platform: both + in_remnux: true + labs: ["4.2"] + typical_usage: + - "upx -d packed.exe" + - "upx -d packed.exe -o unpacked.exe" + for610_sections: [4] + tags: [packer, unpacker, compression] + + - id: scylla + name: "Scylla" + aliases: [] + description: "Dump processes from memory and reconstruct import address tables (IAT)" + category: unpacking + platform: windows + in_remnux: false + labs: ["4.2", "4.3", "5.4", "5.8", "5.10"] + typical_usage: + - "Scylla x64 > Attach to process > Dump > IAT Autosearch > Fix Dump" + for610_sections: [4, 5] + tags: [memory-dump, iat-reconstruction, unpacking] + + - id: ollydumpex + name: "OllyDumpEx" + aliases: [] + description: "x64dbg/x32dbg plugin for dumping unpacked process memory to disk" + category: unpacking + platform: windows + in_remnux: false + labs: ["4.3", "5.4", "5.8"] + typical_usage: + - "Plugins > OllyDumpEx > Dump process" + for610_sections: [4, 5] + tags: [memory-dump, x64dbg-plugin, unpacking] + + - id: pe-unmapper + name: "pe_unmapper" + aliases: [] + description: "Convert dumped PE from virtual memory alignment to raw disk alignment" + category: unpacking + platform: windows + in_remnux: false + labs: ["5.10"] + typical_usage: + - "pe_unmapper /in dumped.exe /base 400000 /out fixed.exe" + for610_sections: [5] + tags: [pe-fixup, memory-dump, alignment] + + - id: setdllcharacteristics + name: "setdllcharacteristics" + aliases: [] + description: "Modify PE header flags — commonly used to disable ASLR (DynamicBase)" + category: unpacking + platform: windows + in_remnux: false + author: "Didier Stevens" + labs: ["4.2"] + typical_usage: + - "setdllcharacteristics -d specimen.exe" + for610_sections: [4] + tags: [pe-header, aslr, didier-stevens] + + # ============================================================ + # .NET ANALYSIS + # ============================================================ + + - id: ilspy + name: "ILSpy" + aliases: [] + description: ".NET assembly decompiler — view C#/VB.NET source from compiled .NET binaries" + category: dotnet-analysis + platform: windows + in_remnux: false + labs: ["3.12", "4.8"] + typical_usage: + - "ILSpy.exe assembly.exe" + for610_sections: [3, 4] + tags: [dotnet, decompiler, csharp] + + - id: ilspycmd + name: "ilspycmd" + aliases: [] + description: "Command-line .NET decompiler (CLI version of ILSpy)" + category: dotnet-analysis + platform: linux + in_remnux: true + labs: ["4.8"] + typical_usage: + - "ilspycmd assembly.exe > decompiled.cs" + for610_sections: [4] + tags: [dotnet, decompiler, cli] + + - id: dnspyex + name: "dnSpyEx" + aliases: ["dnSpy"] + description: ".NET debugger and decompiler — debug obfuscated/packed .NET malware with breakpoints" + category: dotnet-analysis + platform: windows + in_remnux: false + labs: ["4.8"] + typical_usage: + - "dnSpyEx.exe assembly.exe" + for610_sections: [4] + tags: [dotnet, debugger, decompiler] + + - id: de4dot + name: "de4dot" + aliases: [] + description: ".NET deobfuscator — remove obfuscation from .NET assemblies" + category: dotnet-analysis + platform: both + in_remnux: true + labs: ["4.8"] + typical_usage: + - "de4dot obfuscated.exe" + for610_sections: [4] + tags: [dotnet, deobfuscation] + + - id: dotpeek + name: "dotPeek" + aliases: [] + description: "Free JetBrains .NET decompiler — alternative to ILSpy for viewing .NET source" + category: dotnet-analysis + platform: windows + in_remnux: false + labs: [] + typical_usage: + - "dotPeek.exe assembly.exe" + for610_sections: [4] + tags: [dotnet, decompiler, jetbrains] + + - id: dotdumper + name: "DotDumper" + aliases: [] + description: "Execution monitor and memory extractor for automatic .NET malware unpacking" + category: dotnet-analysis + platform: windows + in_remnux: false + labs: [] + typical_usage: + - "DotDumper.exe -file chatroom.exe" + for610_sections: [4] + tags: [dotnet, unpacking, memory-extraction, automated] + + # ============================================================ + # JAVASCRIPT ANALYSIS + # ============================================================ + + - id: spidermonkey + name: "SpiderMonkey" + aliases: ["js"] + description: "Mozilla JavaScript engine — execute and deobfuscate malicious JavaScript outside a browser" + category: javascript-analysis + platform: linux + in_remnux: true + labs: ["3.6", "3.7", "4.5"] + typical_usage: + - "js -f malicious.js" + - "js -f /usr/share/remnux/objects.js -f malicious.js > decoded.js" + for610_sections: [3, 4] + tags: [javascript, deobfuscation, execution] + + - id: js-beautify + name: "js-beautify" + aliases: [] + description: "Format and beautify obfuscated JavaScript code for readability" + category: javascript-analysis + platform: linux + in_remnux: true + labs: ["3.6", "4.5"] + typical_usage: + - "js-beautify malicious.js > beautified.js" + for610_sections: [3] + tags: [javascript, formatting, readability] + + - id: cscript + name: "CScript" + aliases: ["cscript.exe"] + description: "Windows Script Host command-line — execute JScript/VBScript for AMSI monitoring" + category: javascript-analysis + platform: windows + in_remnux: false + labs: ["3.6"] + typical_usage: + - "cscript malicious.js" + for610_sections: [3] + tags: [javascript, vbscript, windows-script-host] + + # ============================================================ + # POWERSHELL ANALYSIS + # ============================================================ + + - id: powershell-ise + name: "PowerShell ISE" + aliases: ["powershell_ise"] + description: "PowerShell Integrated Scripting Environment — debug scripts with breakpoints and variable inspection" + category: powershell-analysis + platform: windows + in_remnux: false + labs: ["3.9", "3.11", "4.5"] + typical_usage: + - "powershell_ise script.ps1" + for610_sections: [3, 4] + tags: [powershell, debugger, script-analysis] + + - id: logman + name: "logman" + aliases: [] + description: "Windows Event Trace session manager — enable AMSI script content logging" + category: powershell-analysis + platform: windows + in_remnux: false + labs: ["3.6"] + typical_usage: + - "logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets" + - "logman stop AMSITrace -ets" + for610_sections: [3] + tags: [amsi, event-tracing, monitoring] + + - id: amsiscriptcontentretrieval + name: "AMSIScriptContentRetrieval" + aliases: [] + description: "Extract monitored script content from AMSI Event Trace logs" + category: powershell-analysis + platform: windows + in_remnux: false + labs: ["3.6"] + typical_usage: + - "AMSIScriptContentRetrieval AMSITrace.etl > output.txt" + for610_sections: [3] + tags: [amsi, script-extraction] + + # ============================================================ + # STRING & DATA DEOBFUSCATION + # ============================================================ + + - id: floss + name: "FLOSS" + aliases: ["floss"] + description: "Automatically extract obfuscated strings from malware using static analysis, stack strings, and emulation" + category: string-deobfuscation + platform: both + in_remnux: true + labs: ["5.2", "5.3"] + typical_usage: + - "floss specimen.exe" + - "floss specimen.exe > strings-output.txt" + - "floss --no-static -- specimen.exe" + for610_sections: [5] + tags: [strings, deobfuscation, automated] + + - id: xorsearch + name: "XORSearch" + aliases: [] + description: "Search for XOR/ROL/ROT/SHIFT-encoded patterns including shellcode signatures" + category: string-deobfuscation + platform: linux + in_remnux: true + author: "Didier Stevens" + labs: ["3.5", "5.2"] + typical_usage: + - "XORSearch -W -d 3 file.bin" + - "XORSearch -i -s specimen.exe http:" + for610_sections: [3, 5] + tags: [xor, shellcode-detection, pattern-search, didier-stevens] + + - id: brxor-py + name: "brxor.py" + aliases: [] + description: "Brute-force XOR key detection for single-byte XOR-encoded strings" + category: string-deobfuscation + platform: linux + in_remnux: true + labs: ["5.2"] + typical_usage: + - "brxor.py specimen.dll" + for610_sections: [5] + tags: [xor, brute-force, deobfuscation] + + - id: bbcrack + name: "bbcrack" + aliases: [] + description: "Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms" + category: string-deobfuscation + platform: linux + in_remnux: true + labs: ["5.2"] + typical_usage: + - "bbcrack -l 1 specimen.dll" + for610_sections: [5] + tags: [xor, rol, add, deobfuscation, balbuzard] + + - id: strdeob-pl + name: "strdeob.pl" + aliases: [] + description: "Automatically decode stack-built strings from disassembled malware" + category: string-deobfuscation + platform: linux + in_remnux: true + labs: ["5.2"] + typical_usage: + - "strdeob.pl specimen.exe" + for610_sections: [5] + tags: [stack-strings, deobfuscation] + + - id: cyberchef + name: "CyberChef" + aliases: [] + description: "Web-based data transformation tool — decode Base64, XOR, hex, decompress, and chain operations" + category: string-deobfuscation + platform: both + in_remnux: true + labs: ["1.5", "3.8", "3.12"] + typical_usage: + - "cyberchef" + for610_sections: [1, 3] + tags: [decoding, encoding, transformation, web-based] + + # ============================================================ + # YARA & CAPABILITY DETECTION + # ============================================================ + + - id: capa + name: "capa" + aliases: [] + description: "Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog" + category: yara-detection + platform: both + in_remnux: true + labs: ["1.4", "5.4"] + typical_usage: + - "capa specimen.exe" + - "capa -vv specimen.exe" + - "capa -vv specimen.exe | grep -A7 'Suspended Process'" + for610_sections: [1, 5] + tags: [capabilities, mitre-attack, automated-analysis] + + - id: yara + name: "yara" + aliases: ["yara-rules"] + description: "Pattern matching tool for identifying and classifying malware using custom rules" + category: yara-detection + platform: both + in_remnux: true + labs: ["3.4"] + typical_usage: + - "yara-rules specimen.bin" + - "yara rule.yar specimen.exe" + for610_sections: [3] + tags: [pattern-matching, classification, rules] + + - id: 1768-py + name: "1768.py" + aliases: [] + description: "Parse Cobalt Strike beacon configuration from shellcode or memory dumps" + category: yara-detection + platform: linux + in_remnux: true + author: "Didier Stevens" + labs: ["3.4"] + typical_usage: + - "1768.py shellcode.bin" + for610_sections: [3] + tags: [cobalt-strike, beacon, c2-config, didier-stevens] + + # ============================================================ + # ANTI-ANALYSIS BYPASS + # ============================================================ + + - id: scyllahide + name: "ScyllaHide" + aliases: [] + description: "x64dbg/x32dbg plugin to hide debugger presence from anti-debugging checks" + category: anti-analysis + platform: windows + in_remnux: false + labs: ["5.3", "5.6"] + typical_usage: + - "Plugins > ScyllaHide > Options > Enable all" + for610_sections: [5] + tags: [anti-debugging, debugger-hiding, x64dbg-plugin] + + - id: xanalyzer + name: "xAnalyzer" + aliases: [] + description: "x32dbg plugin providing extended analysis — API parameter names and types in disassembly" + category: anti-analysis + platform: windows + in_remnux: false + labs: ["5.10"] + typical_usage: + - "Plugins > xAnalyzer" + for610_sections: [5] + tags: [x32dbg-plugin, analysis-enhancement] + + # ============================================================ + # ONLINE ANALYSIS PLATFORMS + # ============================================================ + + - id: virustotal + name: "VirusTotal" + aliases: ["VT"] + description: "Multi-engine antivirus scanning, behavioral analysis, and threat intelligence" + category: online-platforms + platform: online + in_remnux: false + labs: [] + typical_usage: + - "https://virustotal.com" + for610_sections: [1] + tags: [scanning, multi-engine, threat-intel] + + - id: hybrid-analysis + name: "Hybrid Analysis" + aliases: [] + description: "CrowdStrike automated sandbox for malware detonation and behavioral reporting" + category: online-platforms + platform: online + in_remnux: false + labs: [] + typical_usage: + - "https://hybrid-analysis.com" + for610_sections: [1] + tags: [sandbox, behavioral, crowdstrike] + + - id: any-run + name: "Any.run" + aliases: [] + description: "Interactive online malware analysis sandbox with real-time process monitoring" + category: online-platforms + platform: online + in_remnux: false + labs: [] + typical_usage: + - "https://any.run" + for610_sections: [1] + tags: [sandbox, interactive, real-time] + + - id: cape-sandbox + name: "CAPE Sandbox" + aliases: ["CAPE"] + description: "Automated malware analysis sandbox with payload extraction and config dumping" + category: online-platforms + platform: online + in_remnux: false + labs: [] + typical_usage: + - "https://capesandbox.com" + for610_sections: [1] + tags: [sandbox, automated, payload-extraction] + + - id: malwarebazaar + name: "MalwareBazaar" + aliases: [] + description: "Malware sample sharing platform by abuse.ch" + category: online-platforms + platform: online + in_remnux: false + labs: [] + typical_usage: + - "https://bazaar.abuse.ch" + for610_sections: [1] + tags: [sample-sharing, repository] + + - id: intezer-analyze + name: "Intezer Analyze" + aliases: [] + description: "Automated code analysis platform for malware classification using code reuse detection" + category: online-platforms + platform: online + in_remnux: false + labs: [] + typical_usage: + - "https://analyze.intezer.com" + for610_sections: [1] + tags: [code-reuse, classification, automated] + + - id: filescan-io + name: "FileScan.IO" + aliases: [] + description: "Online malware analysis sandbox with multi-format support" + category: online-platforms + platform: online + in_remnux: false + labs: [] + typical_usage: + - "https://filescan.io" + for610_sections: [1] + tags: [sandbox, online] + + - id: urlscan-io + name: "urlscan.io" + aliases: [] + description: "Website and URL investigation service — screenshots, DOM analysis, network requests" + category: online-platforms + platform: online + in_remnux: false + labs: [] + typical_usage: + - "https://urlscan.io" + for610_sections: [1] + tags: [url-analysis, website-investigation] + + - id: shodan + name: "Shodan" + aliases: [] + description: "Search engine for internet-connected devices and exposed services" + category: online-platforms + platform: online + in_remnux: false + labs: [] + typical_usage: + - "https://shodan.io" + for610_sections: [1] + tags: [infrastructure, reconnaissance] + + - id: otx + name: "Open Threat Exchange" + aliases: ["OTX", "LevelBlue Labs"] + description: "Threat intelligence sharing platform for indicators of compromise" + category: online-platforms + platform: online + in_remnux: false + labs: [] + typical_usage: + - "https://otx.alienvault.com" + for610_sections: [1] + tags: [threat-intel, ioc-sharing] + + - id: threatfox + name: "ThreatFox" + aliases: [] + description: "Threat intelligence platform for sharing IOCs associated with malware" + category: online-platforms + platform: online + in_remnux: false + labs: [] + typical_usage: + - "https://threatfox.abuse.ch" + for610_sections: [1] + tags: [threat-intel, ioc-sharing, abuse-ch] + + - id: securitytrails + name: "SecurityTrails" + aliases: [] + description: "Historical DNS records and IP/domain intelligence" + category: online-platforms + platform: online + in_remnux: false + labs: [] + typical_usage: + - "https://securitytrails.com" + for610_sections: [1] + tags: [dns-history, domain-intel] + + - id: unpacme + name: "UnpacMe" + aliases: [] + description: "Automated online malware unpacking service" + category: online-platforms + platform: online + in_remnux: false + labs: [] + typical_usage: + - "https://www.unpac.me" + for610_sections: [4] + tags: [unpacking, automated, online] + + # ============================================================ + # VIRTUALIZATION + # ============================================================ + + - id: vmware-workstation + name: "VMware Workstation Pro" + aliases: ["VMware"] + description: "Desktop hypervisor for running isolated analysis VMs with snapshots and host-only networking" + category: virtualization + platform: both + in_remnux: false + labs: [] + typical_usage: + - "vmware" + for610_sections: [1] + tags: [hypervisor, vm, isolation] + + - id: vmware-fusion + name: "VMware Fusion" + aliases: [] + description: "macOS hypervisor for running analysis virtual machines" + category: virtualization + platform: both + in_remnux: false + labs: [] + typical_usage: + - "VMware Fusion.app" + for610_sections: [1] + tags: [hypervisor, macos] + + - id: virtualbox + name: "VirtualBox" + aliases: [] + description: "Open-source hypervisor for running analysis virtual machines" + category: virtualization + platform: both + in_remnux: false + labs: [] + typical_usage: + - "VirtualBox" + for610_sections: [1] + tags: [hypervisor, open-source] + + # ============================================================ + # UTILITIES + # ============================================================ + + - id: visual-studio-code + name: "Visual Studio Code" + aliases: ["code", "VS Code"] + description: "Code editor used for viewing decompiled output, scripts, and analysis results" + category: utilities + platform: both + in_remnux: true + labs: ["1.3", "1.4", "1.5", "3.3", "3.6", "3.7", "4.5", "4.8", "5.2", "5.3"] + typical_usage: + - "code filename.js" + for610_sections: [1, 3, 4, 5] + tags: [editor, code-viewer] + + - id: notepadpp + name: "Notepad++" + aliases: [] + description: "Advanced Windows text editor with syntax highlighting for script analysis" + category: utilities + platform: windows + in_remnux: false + labs: ["3.6", "3.8", "3.9", "3.10", "3.11", "3.12", "4.5"] + typical_usage: + - "notepad++ script.ps1" + for610_sections: [3, 4] + tags: [editor, windows] + + - id: jq + name: "jq" + aliases: [] + description: "Command-line JSON processor for extracting and transforming structured data" + category: utilities + platform: linux + in_remnux: true + labs: ["1.4"] + typical_usage: + - "cat report.json | jq '.apis'" + - "jq -r '.entry' report.json" + for610_sections: [1] + tags: [json, data-processing] + + - id: feh + name: "feh" + aliases: [] + description: "Lightweight image viewer for viewing extracted images from documents" + category: utilities + platform: linux + in_remnux: true + labs: ["3.1"] + typical_usage: + - "feh extracted_image.jpg" + for610_sections: [3] + tags: [image-viewer] + + - id: winscp + name: "WinSCP" + aliases: [] + description: "Windows SCP/SFTP client for transferring files between Windows and Linux VMs" + category: utilities + platform: windows + in_remnux: false + labs: ["4.5"] + typical_usage: + - "WinSCP.exe" + for610_sections: [4] + tags: [file-transfer, scp] + + - id: wine + name: "Wine" + aliases: [] + description: "Windows compatibility layer — run Windows executables on Linux" + category: utilities + platform: linux + in_remnux: true + labs: ["3.5"] + typical_usage: + - "wine program.exe" + for610_sections: [3] + tags: [windows-compat, execution] + + - id: unzip + name: "unzip" + aliases: [] + description: "Extract ZIP archives containing malware samples" + category: utilities + platform: linux + in_remnux: true + labs: ["1.1", "3.1", "3.3", "3.4", "3.5", "3.6", "3.7", "4.1", "4.8", "5.2", "5.3", "5.4"] + typical_usage: + - "unzip -P infected sample.zip" + for610_sections: [1, 3, 4, 5] + tags: [archive, extraction] + + - id: gunzip + name: "gunzip" + aliases: [] + description: "Decompress gzip-compressed data (often used in multi-stage payload extraction)" + category: utilities + platform: linux + in_remnux: true + labs: ["3.4"] + typical_usage: + - "gunzip -c compressed.gz > output.bin" + for610_sections: [3] + tags: [compression, extraction] + + - id: rar + name: "rar" + aliases: ["unrar"] + description: "Extract RAR archives (including self-extracting RAR payloads)" + category: utilities + platform: both + in_remnux: true + labs: ["3.5"] + typical_usage: + - "rar x archive.rar" + for610_sections: [3] + tags: [archive, extraction] + + - id: hexdump + name: "hexdump" + aliases: [] + description: "Display file content in hexadecimal format" + category: utilities + platform: linux + in_remnux: true + labs: [] + typical_usage: + - "hexdump -C binary.dat" + for610_sections: [1] + tags: [hex, binary-viewing] + + - id: xxd + name: "xxd" + aliases: [] + description: "Create hex dump of a file or reverse a hex dump back to binary" + category: utilities + platform: linux + in_remnux: true + labs: [] + typical_usage: + - "xxd binary.exe" + - "xxd -r hexdump.txt > binary.exe" + for610_sections: [1] + tags: [hex, binary-conversion] + + - id: binwalk + name: "binwalk" + aliases: [] + description: "Analyze and extract embedded files and firmware images" + category: utilities + platform: linux + in_remnux: true + labs: [] + typical_usage: + - "binwalk firmware.bin" + - "binwalk -e firmware.bin" + for610_sections: [1] + tags: [firmware, extraction, embedded-files] + + - id: wget + name: "wget" + aliases: [] + description: "Download files from HTTP/HTTPS/FTP servers" + category: utilities + platform: linux + in_remnux: true + labs: [] + typical_usage: + - "wget http://example.com/file.bin" + for610_sections: [1] + tags: [download, http] + + - id: curl + name: "curl" + aliases: [] + description: "Transfer data to/from servers using various protocols" + category: utilities + platform: linux + in_remnux: true + labs: [] + typical_usage: + - "curl -L http://example.com" + - "curl -o output.bin http://example.com/file" + for610_sections: [1] + tags: [download, http, transfer] + + - id: reg-export + name: "reg_export" + aliases: [] + description: "Extract registry key values to files — used to recover malware artifacts stored in registry" + category: utilities + platform: windows + in_remnux: false + author: "Adam Kramer" + labs: ["4.5"] + typical_usage: + - "reg_export HKCU\\software\\keyname valuename output.js" + for610_sections: [4] + tags: [registry, extraction, windows] + + - id: regedit + name: "Regedit" + aliases: [] + description: "Windows Registry Editor for browsing and modifying registry keys" + category: utilities + platform: windows + in_remnux: false + labs: ["4.5"] + typical_usage: + - "regedit.exe" + for610_sections: [4] + tags: [registry, windows] diff --git a/data/for610/workflows.yaml b/data/for610/workflows.yaml new file mode 100644 index 0000000..2f729dd --- /dev/null +++ b/data/for610/workflows.yaml @@ -0,0 +1,588 @@ +# REMnux Analysis Workflows +# Generic, reusable workflows for malware and forensic analysis +# All use , , placeholders — not tied to specific specimens +# Tools marked [W] are Windows-only; all others available in REMnux container + +workflows: + + # ============================================================ + # 1. STATIC ANALYSIS + # ============================================================ + - id: static-analysis-workflow + name: "Static Properties Analysis" + description: "Systematic static examination of a suspicious file without executing it. Works for PE, ELF, .NET, scripts, and documents." + steps: + - order: 1 + name: "File Identification & Hashing" + tools: [file, trid, exiftool, sha256sum] + description: "Determine file type using magic bytes. Compute hashes (MD5, SHA256) for lookup and documentation. Record file size and timestamps." + - order: 2 + name: "Reputation Check" + tools: [malwoverview, virustotal-search] + description: "Look up hash on VirusTotal/MalwareBazaar. If known malware, note family name and detection rate. If clean or unknown, continue analysis." + - order: 3 + name: "Packing & Entropy Check" + tools: [diec, peframe] + description: "Check for packing indicators and high entropy sections. Look for: unusual section names, small import table, high entropy (>7.0). If packed, consider the Unpacking Workflow." + - order: 4 + name: "String Extraction" + tools: [strings, floss, pestr] + description: "Extract readable strings. Use FLOSS for obfuscated/stack strings. Look for: URLs, IPs, domains, registry keys, file paths, error messages, API names." + - order: 5 + name: "Capability Detection" + tools: [capa, yara] + description: "Identify capabilities mapped to MITRE ATT&CK. Scan with YARA rules for known malware families. Look for: persistence, C2, evasion, lateral movement capabilities." + - order: 6 + name: "Import & Export Analysis" + tools: [peframe, capa] + description: "Examine imported DLLs and functions. Map imports to behavior categories: networking (ws2_32), crypto (advapi32), process manipulation (kernel32). Check exports for DLL functionality." + - order: 7 + name: "Disassembly (if needed)" + tools: [ghidra, cutter, radare2] + description: "Load into disassembler for code-level analysis. Start at entry point, trace key functions. Use decompiler for C-like view." + - order: 8 + name: "Document Findings" + tools: [] + description: "Record IOCs: hashes, IPs, domains, file paths, registry keys, mutexes. Classify: malware family, capabilities, confidence level. Decide: continue to behavioral analysis?" + related_labs: ["1.1", "2.1", "4.1"] + tags: [static, triage, pe-analysis, elf-analysis] + + # ============================================================ + # 2. BEHAVIORAL ANALYSIS + # ============================================================ + - id: behavioral-analysis-workflow + name: "Behavioral Analysis" + description: "Monitor runtime behavior in an isolated environment. Applicable to any executable or script on Linux (REMnux) or Windows." + steps: + - order: 1 + name: "Environment Preparation" + tools: [] + description: "Revert to clean snapshot. Disconnect from production network. Verify isolation (host-only networking). Set max execution time (2-5 minutes)." + - order: 2 + name: "Network Interception Setup" + tools: [fakedns, inetsim, fakenet-ng] + description: "Start fake DNS and service emulation so malware gets responses. On REMnux: fakedns for DNS, INetSim or FakeNet-NG for HTTP/HTTPS/SMTP/FTP." + - order: 3 + name: "Monitoring Setup" + tools: [wireshark, tcpdump, strace] + description: "Start packet capture (wireshark or tcpdump). On Linux: strace/ltrace for syscalls. Start filesystem monitoring." + - order: 4 + name: "Emulation (Safe Alternative)" + tools: [speakeasy, capa] + description: "Before live execution, try emulation: speakeasy emulates Windows API calls on Linux safely. Use capa -vv for capability overview." + - order: 5 + name: "Execute & Monitor" + tools: [] + description: "Run the sample with a timeout. Monitor for: new processes spawned, files created/modified, network connections, DNS queries. Kill after 2-5 minutes." + - order: 6 + name: "Analyze Results" + tools: [wireshark, procdot] + description: "Review network capture: follow TCP streams, extract payloads, identify C2 patterns. Analyze process activity logs. Map filesystem changes." + - order: 7 + name: "Extract IOCs" + tools: [] + description: "Document: contacted domains/IPs, created files/registry keys, spawned processes, persistence mechanisms. Classify behavior: downloader, backdoor, ransomware, etc." + related_labs: ["1.2", "1.4", "1.6", "4.5"] + tags: [behavioral, dynamic, monitoring, emulation] + + # ============================================================ + # 3. NETWORK INTERCEPTION + # ============================================================ + - id: network-interception-workflow + name: "Network Traffic Interception" + description: "Redirect and analyze malware network traffic in an isolated REMnux environment. Covers DNS, HTTP, HTTPS, and raw IP interception." + steps: + - order: 1 + name: "DNS Interception" + tools: [fakedns] + description: "Start fakedns to resolve ALL domains to REMnux IP. Verify: nslookup any-domain.com should return your REMnux IP." + - order: 2 + name: "Service Emulation" + tools: [inetsim, fakenet-ng, httpd] + description: "Choose emulator based on needed protocols. INetSim: HTTP, HTTPS, DNS, FTP, SMTP (most complete). FakeNet-NG: similar but different engine. httpd: simple HTTP only." + - order: 3 + name: "TLS/HTTPS Interception (if needed)" + tools: [mitmproxy, polarproxy] + description: "For HTTPS C2: mitmproxy as transparent proxy, or PolarProxy for TLS decryption. Install proxy CA cert on analysis machine if needed." + - order: 4 + name: "Packet Capture" + tools: [wireshark, tcpdump] + description: "Start capture before executing malware. Filter: not arp and not broadcast. Save to PCAP for later analysis." + - order: 5 + name: "Execute & Observe" + tools: [] + description: "Run malware on analysis VM. Watch for: DNS queries (domain names), HTTP requests (URLs, user-agents), raw TCP connections (IP:port)." + - order: 6 + name: "Traffic Analysis" + tools: [wireshark, tshark, ngrep, tcpflow] + description: "Follow TCP streams for full request/response. Use ngrep for pattern search across packets. Use tcpflow to extract individual streams. Identify beaconing (regular intervals)." + - order: 7 + name: "File Extraction" + tools: [tcpxtract, networkminer] + description: "Carve files from PCAP: downloaded payloads, exfiltrated data, second-stage malware. NetworkMiner does this automatically." + - order: 8 + name: "IP-Based Redirection (if needed)" + tools: [iptables] + description: "If malware uses hardcoded IPs (no DNS): iptables -t nat -A PREROUTING -i eth0 -j REDIRECT. This redirects ALL traffic to local services." + - order: 9 + name: "Document Network IOCs" + tools: [] + description: "Record: C2 domains/IPs, URI paths, user-agent strings, beacon intervals, downloaded file hashes, TLS certificate details." + related_labs: ["1.3", "1.7", "1.8"] + tags: [network, interception, c2, dns, https, pcap] + + # ============================================================ + # 4. DOCUMENT ANALYSIS + # ============================================================ + - id: document-analysis-workflow + name: "Malicious Document Analysis" + description: "Analyze suspicious documents (PDF, Office, RTF, OneNote) for embedded malware, macros, and exploits. Follows Zeltser's 6-step methodology." + steps: + - order: 1 + name: "Format Identification" + tools: [file, trid] + description: "Identify true format: OLE2 (legacy Office), OOXML (modern Office), RTF, PDF, OneNote. Don't trust the file extension — use magic bytes." + - order: 2 + name: "Structure Analysis" + tools: [oledump-py, rtfdump-py, pdfid-py, pdf-parser-py, onedump-py] + description: "Parse document internals. For Office: oledump.py to list streams (M = macro). For PDF: pdfid.py for risky keywords (/JavaScript, /OpenAction). For RTF: rtfdump.py for hex-heavy groups." + - order: 3 + name: "Password Handling (if encrypted)" + tools: [msoffcrypto-tool] + description: "If document is password-protected: msoffcrypto-tool -p . Common passwords: infected, malware, password, 123456." + - order: 4 + name: "Macro/Script Extraction" + tools: [oledump-py, olevba, pcode2code, XLMMacroDeobfuscator] + description: "Extract VBA: oledump.py -s -v. For p-code: pcode2code. For Excel 4.0 macros: XLMMacroDeobfuscator. Check olevba for auto-execute triggers (AutoOpen, Document_Open)." + - order: 5 + name: "Payload Decoding" + tools: [base64dump-py, translate-py, gunzip, numbers-to-string-py, cyberchef] + description: "Decode embedded payloads. Common chains: Base64 → gunzip → XOR. Use CyberChef for visual multi-step decoding. translate.py for byte-level transforms (byte ^ key)." + - order: 6 + name: "Embedded Object Analysis" + tools: [scdbgc, xorsearch, yara, 1768-py] + description: "If shellcode found: emulate with scdbgc. Scan for known patterns (YARA). Check for Cobalt Strike beacons (1768.py). Route PE payloads to Static Analysis Workflow." + - order: 7 + name: "Document IOCs" + tools: [] + description: "Record: embedded URLs, downloaded payload hashes, C2 addresses, macro behavior (what APIs called), exploit type (CVE if applicable)." + related_labs: ["3.1", "3.3", "3.4", "3.5"] + tags: [documents, office, pdf, rtf, macro, onenote] + + # ============================================================ + # 5. JAVASCRIPT DEOBFUSCATION + # ============================================================ + - id: javascript-deobfuscation-workflow + name: "JavaScript Deobfuscation" + description: "Deobfuscate and analyze malicious JavaScript from web pages, email attachments, or document macros." + steps: + - order: 1 + name: "Beautification" + tools: [js-beautify] + description: "Format minified/compressed JavaScript for readability. Look for: eval() calls, document.write(), String.fromCharCode(), unescape(), atob()." + - order: 2 + name: "Static Review" + tools: [visual-studio-code] + description: "Identify obfuscation layers. Search for: eval/Function constructor (code execution), long encoded strings, variable name patterns (single chars = likely obfuscated)." + - order: 3 + name: "Safe Execution (SpiderMonkey)" + tools: [spidermonkey] + description: "Execute outside browser with objects.js to simulate browser/WScript APIs. Command: js -f /usr/share/remnux/objects.js -f . Captures eval'd code without running it." + - order: 4 + name: "Environment Tuning" + tools: [visual-studio-code] + description: "If script expects specific environment (location.href, navigator.userAgent): edit objects.js to provide expected values. Re-run SpiderMonkey." + - order: 5 + name: "Alternative Analysis" + tools: [box-js, jstillery] + description: "box-js: Node.js sandbox with WScript emulation. JStillery: AST-based deobfuscation. Use when SpiderMonkey can't handle the obfuscation." + - order: 6 + name: "Payload Identification" + tools: [] + description: "What does the deobfuscated JS do? Common patterns: download & execute (dropper), redirect to exploit kit, credential harvesting. Extract all URLs, IPs, file paths." + related_labs: ["3.6", "3.7"] + tags: [javascript, deobfuscation, spidermonkey, box-js, web] + + # ============================================================ + # 6. UNPACKING + # ============================================================ + - id: unpacking-workflow + name: "Unpacking Packed Executables" + description: "Unpack compressed, encrypted, or obfuscated executables to reveal the original code. Covers automated and manual techniques." + steps: + - order: 1 + name: "Packing Identification" + tools: [diec, peframe] + description: "Identify packer: DIE detects UPX, ASPack, PECompact, Themida, etc. Check entropy (>7.0 suggests packing). Look for: few imports, unusual section names (.UPX, .packed)." + - order: 2 + name: "Automated Unpacking" + tools: [upx, de4dot] + description: "Try known unpackers first. UPX: upx -d . .NET: de4dot . If automated unpacking fails (modified packer), proceed to manual." + - order: 3 + name: "Emulation-Based Unpacking" + tools: [speakeasy, qiling] + description: "Emulate execution to let the unpacker run. Speakeasy and Qiling can trace API calls during unpacking without a debugger. Look for VirtualAlloc followed by memcpy patterns." + - order: 4 + name: "Debugger-Based Unpacking [W]" + tools: [x64dbg, x32dbg] + description: "Set breakpoints on: VirtualAlloc/VirtualProtect (memory allocation), tail JMP to OEP (end of unpacker), or stack breakpoint (ESP trick). Step to OEP." + - order: 5 + name: "Anti-Debug Bypass [W]" + tools: [scyllahide] + description: "If malware detects debugger: enable ScyllaHide. Handles IsDebuggerPresent, NtQueryInformationProcess, timing checks." + - order: 6 + name: "Memory Dumping [W]" + tools: [ollydumpex, scylla] + description: "At OEP: dump process with OllyDumpEx. Fix IAT with Scylla (IAT Autosearch → Get Imports → Fix Dump)." + - order: 7 + name: "PE Fixup [W]" + tools: [pe-unmapper] + description: "If dump has virtual alignment: pe_unmapper /in /base 400000 /out . Only needed if sections have wrong raw sizes." + - order: 8 + name: "Verification" + tools: [strings, peframe, capa] + description: "Verify: strings are now visible, imports are reasonable, capa detects capabilities. If good, route to Static Analysis Workflow for full analysis." + related_labs: ["4.1", "4.2", "4.3", "5.3", "5.8", "5.10"] + tags: [unpacking, packing, iat, memory-dump, oep] + + # ============================================================ + # 7. CODE INJECTION ANALYSIS + # ============================================================ + - id: code-injection-workflow + name: "Code Injection Analysis" + description: "Identify and analyze process injection techniques including DLL injection, process hollowing, and reflective loading." + steps: + - order: 1 + name: "Capability Detection" + tools: [capa] + description: "Run capa to identify injection techniques. Look for: 'inject code', 'create suspended process', 'allocate RWX memory'. Note MITRE ATT&CK technique IDs." + - order: 2 + name: "Injection Type Classification" + tools: [ghidra, cutter] + description: "Identify which technique: Classic DLL injection (LoadLibrary), Process Hollowing (CreateProcess SUSPENDED + NtUnmapViewOfSection), Reflective DLL (manual PE loading), APC injection (QueueUserAPC)." + - order: 3 + name: "Target Process Analysis" + tools: [ghidra] + description: "How does malware choose its target? Look for: CreateToolhelp32Snapshot + Process32First/Next (enumeration), hardcoded process names (svchost.exe, explorer.exe), OpenProcess calls." + - order: 4 + name: "Payload Identification" + tools: [ghidra] + description: "What gets injected? Trace data flow to WriteProcessMemory or NtWriteVirtualMemory. Is it: embedded PE, shellcode, encrypted blob? Check size and content." + - order: 5 + name: "Memory Allocation Analysis" + tools: [ghidra] + description: "Examine VirtualAllocEx parameters: size (hints at payload type), protection flags (PAGE_EXECUTE_READWRITE = 0x40 = suspicious). Allocation address for base relocation." + - order: 6 + name: "Injection Verification [W]" + tools: [x32dbg, x64dbg] + description: "Set breakpoint on WriteProcessMemory. When hit: examine lpBuffer (injected data), nSize (payload size). Dump the buffer to file for separate analysis." + - order: 7 + name: "Extracted Payload Analysis" + tools: [peframe, capa, strings] + description: "Analyze the injected payload as standalone file. Route to: Static Analysis Workflow (if PE), Shellcode Workflow (if shellcode), .NET Workflow (if .NET assembly)." + - order: 8 + name: "Document Technique" + tools: [] + description: "Record: injection technique, target process criteria, payload type and hash, API call sequence, memory protection flags. Map to MITRE ATT&CK (T1055.x)." + related_labs: ["4.9", "5.4"] + tags: [code-injection, process-hollowing, dll-injection, reflective-loading] + + # ============================================================ + # 8. .NET ANALYSIS + # ============================================================ + - id: dotnet-analysis-workflow + name: ".NET Malware Analysis" + description: "Analyze .NET malware using decompilation, debugging, and deobfuscation. Works for .NET Framework, .NET Core, and mixed-mode assemblies." + steps: + - order: 1 + name: "Identification & Metadata" + tools: [peframe, diec, dnfile, dotnetfile] + description: "Confirm .NET binary (peframe shows 'CLR'). Check runtime version (.NET 2/4/Core). Use dnfile or dotnetfile for .NET-specific metadata. Note entry point and referenced assemblies." + - order: 2 + name: "Obfuscator Detection" + tools: [diec, de4dot] + description: "Detect obfuscator: DIE identifies ConfuserEx, Eziriz .NET Reactor, Babel, etc. de4dot -d reports detected obfuscator without modifying the file." + - order: 3 + name: "Decompilation" + tools: [ilspycmd, monodis] + description: "Decompile to C# source: ilspycmd > output.cs. On REMnux use ilspycmd (CLI). Examine: Main() entry, suspicious class/method names, embedded resources." + - order: 4 + name: "Dynamic Loading Detection" + tools: [visual-studio-code] + description: "Search decompiled code for: Assembly.Load(byte[]), Assembly.LoadFrom(), Activator.CreateInstance(), MethodInfo.Invoke(), CSharpCodeProvider. These indicate runtime code loading." + - order: 5 + name: "Deobfuscation" + tools: [de4dot] + description: "Run: de4dot -o . If de4dot fails: try with --dont-rename flag, or manually rename obfuscated symbols. For ConfuserEx: de4dot handles most variants." + - order: 6 + name: "Dynamic Debugging [W]" + tools: [dnspyex] + description: "If static analysis insufficient: load in dnSpyEx, set breakpoint on Assembly.Load or suspicious method. Run and inspect Locals window for decrypted payloads. Save byte[] arrays to disk." + - order: 7 + name: "Extracted Payload Analysis" + tools: [ilspycmd, peframe] + description: "Analyze extracted payload: is it another .NET assembly? (recurse this workflow). Is it a PE file? (route to Static Analysis). Document the unpacking chain." + - order: 8 + name: "Document Findings" + tools: [] + description: "Record: obfuscator type, .NET version, loading mechanism, payload hashes, C2 endpoints found in decompiled code, encryption keys/algorithms." + related_labs: ["3.12", "4.8"] + tags: [dotnet, decompilation, deobfuscation, ilspy, de4dot] + + # ============================================================ + # 9. SHELLCODE ANALYSIS (NEW) + # ============================================================ + - id: shellcode-analysis-workflow + name: "Shellcode Analysis" + description: "Analyze extracted shellcode from documents, exploits, or injected processes. Covers detection, emulation, and payload identification." + steps: + - order: 1 + name: "Shellcode Detection" + tools: [xorsearch, yara, capa] + description: "Scan carrier file for shellcode patterns. XORSearch -W -d 3 detects common shellcode signatures even when XOR-encoded. YARA rules catch known frameworks." + - order: 2 + name: "Extraction" + tools: [rtfdump-py, oledump-py, pdf-parser-py] + description: "Extract shellcode from carrier. For RTF: rtfdump.py -s -H -d > sc.bin. For OLE: oledump.py -s -d > sc.bin. For PDF: pdf-parser.py -o -d sc.bin." + - order: 3 + name: "Emulation" + tools: [scdbgc, speakeasy] + description: "Emulate without execution. scdbgc /f sc.bin /s -1 shows API calls. speakeasy -t sc.bin -r -a x86 for deeper emulation. Look for: URL downloads, file writes, process creation." + - order: 4 + name: "Framework Identification" + tools: [yara, 1768-py] + description: "Check for known frameworks. 1768.py identifies Cobalt Strike beacons. YARA rules detect Metasploit, Cobalt Strike, custom frameworks. Document beacon config if found." + - order: 5 + name: "Conversion to EXE" + tools: [shcode2exe] + description: "Convert shellcode to executable for static analysis: shcode2exe sc.bin sc.exe. Then analyze with peframe, strings, ghidra." + - order: 6 + name: "String & IOC Extraction" + tools: [strings, floss, cyberchef] + description: "Extract strings from shellcode. Look for: C2 URLs, download paths, filename markers, encryption keys. Use CyberChef for encoded content." + - order: 7 + name: "Document Findings" + tools: [] + description: "Record: shellcode offset in carrier, size, encoding/XOR key, framework (Metasploit/CS/custom), C2 address, downloaded payload URL, technique (staged/stageless)." + related_labs: ["3.4", "3.5", "4.6", "4.7"] + tags: [shellcode, emulation, cobalt-strike, metasploit, scdbg] + + # ============================================================ + # 10. STRING & DATA DEOBFUSCATION (NEW) + # ============================================================ + - id: string-deobfuscation-workflow + name: "String & Data Deobfuscation" + description: "Decode obfuscated strings and data in malware. Covers XOR, Base64, stack strings, custom algorithms, and multi-layer encoding." + steps: + - order: 1 + name: "Automated Extraction" + tools: [floss, strings] + description: "Start with FLOSS for automatic deobfuscation (static + stack + decoded strings). Compare against plain strings output. FLOSS --no-static for only decoded strings." + - order: 2 + name: "Encoding Detection" + tools: [xorsearch, bbcrack] + description: "Identify encoding algorithm. XORSearch: detect XOR with known plaintext (http:, MZ, This program). bbcrack: brute-force XOR, ROL, ADD at multiple levels." + - order: 3 + name: "Single-Byte XOR Recovery" + tools: [brxor-py, xortool] + description: "For single-byte XOR: brxor.py finds English words. xortool guesses key length and probable key. xortool-xor -s -i -o decoded.bin to decode." + - order: 4 + name: "Multi-Byte / Custom Decoding" + tools: [translate-py, cyberchef] + description: "For custom algorithms: translate.py 'byte ^ key' or complex expressions. CyberChef for visual recipe building (XOR → Base64 → Gunzip chains). Document the recipe." + - order: 5 + name: "Stack String Recovery" + tools: [strdeob-pl, floss] + description: "For strings built on the stack (MOV byte-by-byte): strdeob.pl or FLOSS stack string detection. Common in evasive malware to avoid string extraction." + - order: 6 + name: "Validation & IOC Extraction" + tools: [] + description: "Review decoded strings. Extract IOCs: C2 addresses, registry keys, file paths, API names, credentials. Compare against known malware family patterns." + related_labs: ["1.5", "5.2"] + tags: [strings, xor, deobfuscation, floss, cyberchef, encoding] + + # ============================================================ + # 11. MEMORY FORENSICS (NEW) + # ============================================================ + - id: memory-forensics-workflow + name: "Memory Forensics" + description: "Analyze memory dumps to find malware artifacts, injected code, and hidden processes. Uses Volatility 3 framework on REMnux." + steps: + - order: 1 + name: "Image Identification" + tools: [volatility3] + description: "Determine OS and profile: vol3 -f windows.info (or linux.info). Verify image is valid and identify OS version, build, architecture." + - order: 2 + name: "Process Analysis" + tools: [volatility3] + description: "List processes: vol3 -f windows.pslist / windows.pstree. Look for: suspicious names, unusual parent-child relationships, processes with no window title, duplicate system processes." + - order: 3 + name: "Network Connections" + tools: [volatility3] + description: "List connections: vol3 -f windows.netscan. Identify: C2 connections, unusual ports, connections to known-bad IPs. Cross-reference with process PIDs." + - order: 4 + name: "Injection Detection" + tools: [volatility3] + description: "Detect injected code: vol3 -f windows.malfind. Shows: processes with executable memory not backed by a file. Dump suspicious regions for further analysis." + - order: 5 + name: "DLL Analysis" + tools: [volatility3] + description: "List loaded DLLs: vol3 -f windows.dlllist --pid . Look for: DLLs loaded from unusual paths (temp, appdata), unsigned DLLs, DLLs not in known-good baseline." + - order: 6 + name: "String Search" + tools: [volatility3, strings] + description: "Search for known IOCs in memory: vol3 -f windows.strings. Also: strings | grep -i ''. Look for URLs, domains, file paths, commands." + - order: 7 + name: "Process & Code Dumping" + tools: [volatility3] + description: "Extract suspicious processes: vol3 -f windows.dumpfiles --pid . Extract injected code regions from malfind results. Analyze dumped files with Static Analysis Workflow." + - order: 8 + name: "Timeline Reconstruction" + tools: [volatility3] + description: "Build timeline: vol3 -f timeliner.Timeliner. Reconstruct: when malware started, what it did, lateral movement. Correlate with process tree and network data." + related_labs: [] + tags: [memory, forensics, volatility, injection, incident-response] + + # ============================================================ + # 12. ANDROID MALWARE ANALYSIS (NEW) + # ============================================================ + - id: android-analysis-workflow + name: "Android Malware Analysis" + description: "Analyze suspicious Android APK files using static and dynamic techniques available in REMnux." + steps: + - order: 1 + name: "APK Triage" + tools: [file, apkid] + description: "Verify file type and check for packers/obfuscators. APKiD detects: known packers (DexGuard, Bangcle), obfuscators, anti-debug techniques." + - order: 2 + name: "Manifest Analysis" + tools: [apktool] + description: "Decompile APK: apktool d -o output/. Examine AndroidManifest.xml for: excessive permissions, receivers, services, exported components, intent filters." + - order: 3 + name: "Source Code Recovery" + tools: [jadx] + description: "Decompile DEX to Java: jadx -d output/. Review source code for: C2 URLs, crypto operations, SMS interception, data exfiltration, root checks." + - order: 4 + name: "Static Analysis" + tools: [androguard, droidlysis] + description: "androguard: analyze APK structure, permissions, activities. droidlysis: automated static analysis with IOC extraction. Check for: hardcoded keys, URLs, suspicious API usage." + - order: 5 + name: "Native Library Analysis" + tools: [strings, radare2] + description: "If APK contains .so libraries: extract from lib/ directory. Analyze with strings and radare2. Native code often hides C2 logic and crypto." + - order: 6 + name: "Dynamic Instrumentation" + tools: [frida] + description: "Hook suspicious functions at runtime: frida -U -l hook.js . Intercept: crypto operations, network calls, file access, SMS operations." + - order: 7 + name: "Document Findings" + tools: [] + description: "Record: package name, permissions abused, C2 infrastructure, data exfiltrated, persistence mechanism, targeted user data (SMS, contacts, location)." + related_labs: [] + tags: [android, apk, mobile, frida, jadx, apktool] + + # ============================================================ + # 13. JAVA MALWARE ANALYSIS (NEW) + # ============================================================ + - id: java-analysis-workflow + name: "Java Malware Analysis" + description: "Analyze malicious Java archives (JAR), applets, and compiled classes. Covers decompilation and code analysis." + steps: + - order: 1 + name: "Archive Inspection" + tools: [unzip, file] + description: "Extract JAR contents: unzip -d output/. Examine META-INF/MANIFEST.MF for Main-Class entry point. List all .class files." + - order: 2 + name: "Decompilation" + tools: [cfr, jd-gui] + description: "Decompile with CFR: cfr --outputdir output/. Or use JD-GUI for visual browsing. CFR handles modern Java (lambdas, try-with-resources) better." + - order: 3 + name: "Multi-Decompiler Comparison" + tools: [cfr, procyon] + description: "If one decompiler fails on a class: try Procyon. Compare outputs. Some obfuscators break specific decompilers while others handle them fine." + - order: 4 + name: "Code Analysis" + tools: [visual-studio-code] + description: "Review decompiled source. Search for: Runtime.exec() (command execution), URLConnection (network), Cipher (crypto), File I/O operations, reflection (Class.forName)." + - order: 5 + name: "Resource Extraction" + tools: [strings] + description: "Extract embedded resources and strings. Check for: encoded payloads in resources, config files, embedded binaries. Base64-encoded content is common." + - order: 6 + name: "Document Findings" + tools: [] + description: "Record: entry point class, malicious methods, URLs/IPs, downloaded payloads, commands executed, Java version requirements." + related_labs: [] + tags: [java, jar, decompilation, cfr, jd-gui] + + # ============================================================ + # 14. EMAIL & PHISHING ANALYSIS (NEW) + # ============================================================ + - id: email-analysis-workflow + name: "Email & Phishing Analysis" + description: "Analyze suspicious email messages for phishing indicators, malicious attachments, and weaponized links." + steps: + - order: 1 + name: "Header Analysis" + tools: [emldump-py, mail-parser] + description: "Parse SMTP headers: emldump.py . Check: Received headers (delivery path), Return-Path vs From (spoofing), SPF/DKIM results, X-Mailer." + - order: 2 + name: "Attachment Extraction" + tools: [emldump-py, msg-extractor] + description: "Extract attachments: emldump.py -d. For MSG format: msg-extractor . List all attachments with types and sizes." + - order: 3 + name: "Attachment Triage" + tools: [file, trid, yara, sha256sum] + description: "For each attachment: identify type, compute hash, scan with YARA. Route to appropriate workflow: Document Analysis (Office/PDF), Static Analysis (PE), JavaScript Deobfuscation (JS/HTML)." + - order: 4 + name: "Link Analysis" + tools: [unfurl] + description: "Extract all URLs from email body and headers. Use Unfurl to decompose URLs (reveal tracking pixels, redirect chains, encoded parameters)." + - order: 5 + name: "Payload Analysis" + tools: [] + description: "Analyze extracted attachments using the appropriate workflow. Common patterns: Office doc with macro → downloads PE, PDF with link → credential harvester, HTML attachment → phishing page." + - order: 6 + name: "Document IOCs" + tools: [] + description: "Record: sender address and IP, subject line, attachment names and hashes, all URLs, C2/phishing domains, email infrastructure (mail server names)." + related_labs: [] + tags: [email, phishing, eml, msg, attachments, headers] + + # ============================================================ + # 15. COBALT STRIKE ANALYSIS (NEW) + # ============================================================ + - id: cobalt-strike-workflow + name: "Cobalt Strike Analysis" + description: "Analyze Cobalt Strike beacons, configurations, and network traffic using Didier Stevens' CS toolkit on REMnux." + steps: + - order: 1 + name: "Beacon Detection" + tools: [yara, capa] + description: "Scan suspect file with YARA rules for CS signatures. capa detects 'receive data from C2' and beacon-like capabilities. Check for: characteristic 200KB+ size, sleep patterns." + - order: 2 + name: "Configuration Extraction" + tools: [1768-py] + description: "Parse beacon config: 1768.py . Extracts: C2 URLs, user-agent, beacon interval, watermark, spawn-to process, named pipes, proxy config." + - order: 3 + name: "Metadata Decryption" + tools: [cs-decrypt-metadata-py] + description: "Decrypt beacon metadata from network captures: cs-decrypt-metadata.py . Reveals: computer name, user, process info sent to team server." + - order: 4 + name: "Key Extraction" + tools: [cs-extract-key-py] + description: "Extract encryption keys: cs-extract-key.py -f . Recovers AES and HMAC keys used for C2 communication encryption." + - order: 5 + name: "Traffic Decryption" + tools: [cs-parse-traffic-py] + description: "Decrypt C2 traffic: cs-parse-traffic.py -f -k . Reveals: tasking commands, downloaded payloads, exfiltrated data." + - order: 6 + name: "Sleep Mask Analysis" + tools: [cs-analyze-processdump-py] + description: "Analyze sleep mask: cs-analyze-processdump.py . Detects if beacon encrypts itself in memory during sleep. Useful for memory forensics." + - order: 7 + name: "Document Findings" + tools: [] + description: "Record: C2 domains/IPs, beacon interval, watermark (operator ID), user-agent strings, named pipe patterns, spawn-to process, malleable C2 profile indicators." + related_labs: ["3.4"] + tags: [cobalt-strike, c2, beacon, didier-stevens, threat-intel] diff --git a/data/generated/categories.json b/data/generated/categories.json new file mode 100644 index 0000000..d46bb58 --- /dev/null +++ b/data/generated/categories.json @@ -0,0 +1,94 @@ +{ + "categories": [ + { + "id": "pdf-analysis", + "name": "PDF Analysis", + "description": "Tools for analyzing PDF document structure, objects, and embedded content" + }, + { + "id": "document-analysis", + "name": "Document & Macro Analysis", + "description": "Tools for examining Office documents, RTF files, email, and embedded macros" + }, + { + "id": "static-analysis-pe", + "name": "Static Analysis (PE)", + "description": "Tools for static examination of Windows PE executables \u2014 headers, imports, strings, entropy" + }, + { + "id": "behavioral-analysis", + "name": "Behavioral Analysis", + "description": "Tools for monitoring runtime behavior \u2014 processes, filesystem, registry, API calls" + }, + { + "id": "network-analysis", + "name": "Network Analysis & Interception", + "description": "Tools for capturing, analyzing, and simulating network traffic" + }, + { + "id": "code-analysis", + "name": "Code Analysis & Disassembly", + "description": "Disassemblers and decompilers for static code-level analysis" + }, + { + "id": "debugging", + "name": "Debugging", + "description": "Debuggers for dynamic code-level analysis, breakpoints, and memory inspection" + }, + { + "id": "emulation", + "name": "Emulation & Sandboxing", + "description": "Tools that emulate execution of binaries, shellcode, or scripts without native execution" + }, + { + "id": "unpacking", + "name": "Unpacking & Dumping", + "description": "Tools for unpacking compressed/encrypted executables and dumping from memory" + }, + { + "id": "dotnet-analysis", + "name": ".NET Analysis", + "description": "Decompilers, debuggers, and deobfuscators specialized for .NET/CLR malware" + }, + { + "id": "javascript-analysis", + "name": "JavaScript Analysis", + "description": "Tools for deobfuscating and analyzing malicious JavaScript" + }, + { + "id": "powershell-analysis", + "name": "PowerShell Analysis", + "description": "Tools for debugging, decoding, and analyzing malicious PowerShell scripts" + }, + { + "id": "string-deobfuscation", + "name": "String & Data Deobfuscation", + "description": "Tools for decoding XOR, Base64, stack strings, and other obfuscation techniques" + }, + { + "id": "yara-detection", + "name": "YARA & Capability Detection", + "description": "Pattern matching and capability identification tools" + }, + { + "id": "anti-analysis", + "name": "Anti-Analysis Bypass", + "description": "Plugins and techniques for bypassing debugger detection and anti-analysis measures" + }, + { + "id": "online-platforms", + "name": "Online Analysis Platforms", + "description": "Web-based sandboxes, scanners, and threat intelligence services" + }, + { + "id": "virtualization", + "name": "Virtualization", + "description": "Hypervisors and VM platforms for isolated malware analysis labs" + }, + { + "id": "utilities", + "name": "Utilities", + "description": "General-purpose utilities used within malware analysis workflows" + } + ] +} \ No newline at end of file diff --git a/data/generated/cheatsheets/1768.py.cheat b/data/generated/cheatsheets/1768.py.cheat new file mode 100644 index 0000000..176d2ba --- /dev/null +++ b/data/generated/cheatsheets/1768.py.cheat @@ -0,0 +1,18 @@ +# 1768.py +# Parse Cobalt Strike beacon configuration from shellcode or memory dumps +# FOR610 Labs: 3.4 | Sections: 3 | Author: Didier Stevens +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% cobalt-strike, beacon, c2-config, didier-stevens + +# Basic usage +1768.py shellcode.bin + + +# --- Recipes (multi-tool chains) --- + +# >> Parse Cobalt Strike Beacon Configuration +# Scan with YARA for CS signatures +yara-rules +# Extract beacon configuration +1768.py diff --git a/data/generated/cheatsheets/7-zip.cheat b/data/generated/cheatsheets/7-zip.cheat new file mode 100644 index 0000000..a029532 --- /dev/null +++ b/data/generated/cheatsheets/7-zip.cheat @@ -0,0 +1,9 @@ +# 7-Zip +# Compress and decompress files using a variety of algorithms. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% 7-zip + +# Show help for 7-Zip +7-Zip --help diff --git a/data/generated/cheatsheets/7zip.cheat b/data/generated/cheatsheets/7zip.cheat new file mode 100644 index 0000000..07dc326 --- /dev/null +++ b/data/generated/cheatsheets/7zip.cheat @@ -0,0 +1,7 @@ +# 7zip +# Installed via: apt (remnux-packages-p7zip-full) + +% 7zip + +# Show help for 7zip +7zip --help diff --git a/data/generated/cheatsheets/aeskeyfind.cheat b/data/generated/cheatsheets/aeskeyfind.cheat new file mode 100644 index 0000000..47dc41c --- /dev/null +++ b/data/generated/cheatsheets/aeskeyfind.cheat @@ -0,0 +1,7 @@ +# aeskeyfind +# Installed via: apt (aeskeyfind) + +% aeskeyfind + +# Show help for aeskeyfind +aeskeyfind --help diff --git a/data/generated/cheatsheets/aeskeyfinder.cheat b/data/generated/cheatsheets/aeskeyfinder.cheat new file mode 100644 index 0000000..0ec2d4e --- /dev/null +++ b/data/generated/cheatsheets/aeskeyfinder.cheat @@ -0,0 +1,9 @@ +# AESKeyFinder +# Find 128-bit and 256-bit AES keys in a memory image. +# Category: Perform Memory Forensics +# Docs: https://docs.remnux.org/discover-the-tools/perform+memory+forensics + +% aeskeyfinder + +# Show help for AESKeyFinder +AESKeyFinder --help diff --git a/data/generated/cheatsheets/androguard.cheat b/data/generated/cheatsheets/androguard.cheat new file mode 100644 index 0000000..662efb9 --- /dev/null +++ b/data/generated/cheatsheets/androguard.cheat @@ -0,0 +1,14 @@ +# androguard +# Analyze Android APK files — extract permissions, activities, intents, and decompile DEX code +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + +% android, apk, permissions, decompilation + +# Basic usage +androguard analyze + +# Output to file +androguard decompile -o output/ + +# Save output to file +androgui.py diff --git a/data/generated/cheatsheets/android-project-creator.cheat b/data/generated/cheatsheets/android-project-creator.cheat new file mode 100644 index 0000000..82c0fcb --- /dev/null +++ b/data/generated/cheatsheets/android-project-creator.cheat @@ -0,0 +1,7 @@ +# android-project-creator +# Installed via: unknown (android-project-creator) + +% android-project-creator + +# Show help for android-project-creator +android-project-creator --help diff --git a/data/generated/cheatsheets/androidprojectcreator.cheat b/data/generated/cheatsheets/androidprojectcreator.cheat new file mode 100644 index 0000000..21c42d5 --- /dev/null +++ b/data/generated/cheatsheets/androidprojectcreator.cheat @@ -0,0 +1,9 @@ +# AndroidProjectCreator +# Convert an Android APK application file into an Android Studio project for easier analysis. +# Category: Statically Analyze Code > Android +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + +% androidprojectcreator + +# Show help for AndroidProjectCreator +AndroidProjectCreator --help diff --git a/data/generated/cheatsheets/anomy.cheat b/data/generated/cheatsheets/anomy.cheat new file mode 100644 index 0000000..ddad034 --- /dev/null +++ b/data/generated/cheatsheets/anomy.cheat @@ -0,0 +1,9 @@ +# anomy +# A wrapper around wget, ssh, sftp, ftp, and telnet to route these connections through Tor to anonymize your traffic. +# Category: Explore Network Interactions > Connecting +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + +% anomy + +# Show help for anomy +anomy --help diff --git a/data/generated/cheatsheets/apkid.cheat b/data/generated/cheatsheets/apkid.cheat new file mode 100644 index 0000000..5f525c4 --- /dev/null +++ b/data/generated/cheatsheets/apkid.cheat @@ -0,0 +1,9 @@ +# apkid +# Identify compilers, packers, and obfuscators used to protect Android APK and DEX files. +# Category: Statically Analyze Code > Android +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + +% apkid + +# Show help for apkid +apkid --help diff --git a/data/generated/cheatsheets/apktool.cheat b/data/generated/cheatsheets/apktool.cheat new file mode 100644 index 0000000..995797a --- /dev/null +++ b/data/generated/cheatsheets/apktool.cheat @@ -0,0 +1,24 @@ +# apktool +# Decompile and recompile Android APK files — extract resources, smali code, and manifest +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + +% android, apk, decompilation, resources + +# Basic usage +apktool d -o output/ + +# Output to file +apktool b output/ -o rebuilt.apk + + +# --- Recipes (multi-tool chains) --- + +# >> Quick APK Triage +# Check for packers/obfuscators +apkid +# Decompile to smali + resources +apktool d -o output/ +# Check permissions +grep 'uses-permission' output/AndroidManifest.xml +# Decompile to Java source +jadx -d src/ diff --git a/data/generated/cheatsheets/apt-utils.cheat b/data/generated/cheatsheets/apt-utils.cheat new file mode 100644 index 0000000..aeacec3 --- /dev/null +++ b/data/generated/cheatsheets/apt-utils.cheat @@ -0,0 +1,7 @@ +# apt-utils +# Installed via: apt (apt-utils) + +% apt-utils + +# Show help for apt-utils +apt-utils --help diff --git a/data/generated/cheatsheets/archive-zip.cheat b/data/generated/cheatsheets/archive-zip.cheat new file mode 100644 index 0000000..b2623fb --- /dev/null +++ b/data/generated/cheatsheets/archive-zip.cheat @@ -0,0 +1,7 @@ +# archive-zip +# Installed via: perl (cpan) + +% archive-zip + +# Show help for archive-zip +archive-zip --help diff --git a/data/generated/cheatsheets/autoconf.cheat b/data/generated/cheatsheets/autoconf.cheat new file mode 100644 index 0000000..8c497e9 --- /dev/null +++ b/data/generated/cheatsheets/autoconf.cheat @@ -0,0 +1,7 @@ +# autoconf +# Installed via: apt (autoconf) + +% autoconf + +# Show help for autoconf +autoconf --help diff --git a/data/generated/cheatsheets/autoit-ripper.cheat b/data/generated/cheatsheets/autoit-ripper.cheat new file mode 100644 index 0000000..3770cfe --- /dev/null +++ b/data/generated/cheatsheets/autoit-ripper.cheat @@ -0,0 +1,9 @@ +# autoit-ripper +# Extract AutoIt scripts embedded in PE binaries. +# Category: Statically Analyze Code > Scripts +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts + +% autoit-ripper + +# Show help for autoit-ripper +autoit-ripper --help diff --git a/data/generated/cheatsheets/autologin.cheat b/data/generated/cheatsheets/autologin.cheat new file mode 100644 index 0000000..606d4bf --- /dev/null +++ b/data/generated/cheatsheets/autologin.cheat @@ -0,0 +1,7 @@ +# autologin +# Installed via: unknown (autologin) + +% autologin + +# Show help for autologin +autologin --help diff --git a/data/generated/cheatsheets/automake.cheat b/data/generated/cheatsheets/automake.cheat new file mode 100644 index 0000000..6a806f2 --- /dev/null +++ b/data/generated/cheatsheets/automake.cheat @@ -0,0 +1,7 @@ +# automake +# Installed via: apt (automake) + +% automake + +# Show help for automake +automake --help diff --git a/data/generated/cheatsheets/baksmali.cheat b/data/generated/cheatsheets/baksmali.cheat new file mode 100644 index 0000000..2526c7b --- /dev/null +++ b/data/generated/cheatsheets/baksmali.cheat @@ -0,0 +1,9 @@ +# baksmali +# Disassembler for the dex format used by Dalvik, Android's Java VM implementation. +# Category: Statically Analyze Code > Android +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + +% baksmali + +# Show help for baksmali +baksmali --help diff --git a/data/generated/cheatsheets/balbuzard.cheat b/data/generated/cheatsheets/balbuzard.cheat new file mode 100644 index 0000000..f6e6e5e --- /dev/null +++ b/data/generated/cheatsheets/balbuzard.cheat @@ -0,0 +1,9 @@ +# balbuzard +# Extract and deobfuscate patterns from suspicious files. +# Category: Examine Static Properties > Deobfuscation +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% balbuzard + +# Show help for balbuzard +balbuzard --help diff --git a/data/generated/cheatsheets/base64dump.py.cheat b/data/generated/cheatsheets/base64dump.py.cheat new file mode 100644 index 0000000..3343764 --- /dev/null +++ b/data/generated/cheatsheets/base64dump.py.cheat @@ -0,0 +1,53 @@ +# base64dump.py +# Extract and decode Base64-encoded strings from files +# FOR610 Labs: 3.4, 4.5 | Sections: 3, 4 | Author: Didier Stevens +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% base64, decoding, didier-stevens + +# Basic usage +base64dump.py file.txt + +# Suppress default output +base64dump.py file.ps1 -n 10 + +# Select specific item +base64dump.py file.ps1 -s 2 -d + + +# --- Recipes (multi-tool chains) --- + +# >> Extract Base64 PowerShell from Office Macro +# List streams — find macro (M) and data streams +oledump.py +# Extract VBA source to understand what the macro does +oledump.py -s -v +# Scan data stream for Base64 strings +oledump.py -s -d | base64dump.py -n 10 +# Decode the longest Base64 hit to file +oledump.py -s -d | base64dump.py -s 1 -d > payload.ps1 + +# >> Decode Base64 + Gzip Payload +# Find Base64 strings in the script +base64dump.py -n 10 +# Decode Base64 and decompress gzip in one chain +base64dump.py -s -d | gunzip > decoded.ps1 + +# >> Decode Base64 + XOR Shellcode +# Find Base64 strings +base64dump.py -n 10 +# Decode Base64, then XOR with key +base64dump.py -s -d | translate.py 'byte ^ ' > shellcode.bin + +# >> Full Office Macro Decode Chain +# Step 1: List streams and extract VBA +oledump.py +oledump.py -s -v +# Step 2: Extract Base64 from data stream +oledump.py -s -d | base64dump.py -s 1 -d > stage1.ps1 +# Step 3: Decode second Base64 layer + decompress +base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1 +# Step 4: XOR decode the shellcode +base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin +# Step 5: Emulate the shellcode +scdbgc /f shellcode.bin /s -1 diff --git a/data/generated/cheatsheets/bash-history.cheat b/data/generated/cheatsheets/bash-history.cheat new file mode 100644 index 0000000..bd168ab --- /dev/null +++ b/data/generated/cheatsheets/bash-history.cheat @@ -0,0 +1,7 @@ +# bash-history +# Installed via: unknown (bash-history) + +% bash-history + +# Show help for bash-history +bash-history --help diff --git a/data/generated/cheatsheets/bash-rc.cheat b/data/generated/cheatsheets/bash-rc.cheat new file mode 100644 index 0000000..bde1c9b --- /dev/null +++ b/data/generated/cheatsheets/bash-rc.cheat @@ -0,0 +1,7 @@ +# bash-rc +# Installed via: unknown (bash-rc) + +% bash-rc + +# Show help for bash-rc +bash-rc --help diff --git a/data/generated/cheatsheets/bbcrack.cheat b/data/generated/cheatsheets/bbcrack.cheat new file mode 100644 index 0000000..f47b75b --- /dev/null +++ b/data/generated/cheatsheets/bbcrack.cheat @@ -0,0 +1,23 @@ +# bbcrack +# Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms +# FOR610 Labs: 5.2 | Sections: 5 + +% xor, rol, add, deobfuscation, balbuzard + +# Basic usage +bbcrack -l 1 specimen.dll + + +# --- Recipes (multi-tool chains) --- + +# >> Brute-Force XOR Key +# Quick check for XOR-encoded URLs/PE headers +XORSearch http: +# Brute-force single-byte XOR keys +brxor.py +# Try XOR, ROL, ADD combinations +bbcrack -l 1 +# Guess multi-byte XOR key length and value +xortool +# Decode with known key +xortool-xor -s '' -i -o diff --git a/data/generated/cheatsheets/bearparser.cheat b/data/generated/cheatsheets/bearparser.cheat new file mode 100644 index 0000000..2c5f702 --- /dev/null +++ b/data/generated/cheatsheets/bearparser.cheat @@ -0,0 +1,7 @@ +# bearparser +# Installed via: apt (bearparser) + +% bearparser + +# Show help for bearparser +bearparser --help diff --git a/data/generated/cheatsheets/binee--binary-emulation-environment.cheat b/data/generated/cheatsheets/binee--binary-emulation-environment.cheat new file mode 100644 index 0000000..f62ed9a --- /dev/null +++ b/data/generated/cheatsheets/binee--binary-emulation-environment.cheat @@ -0,0 +1,9 @@ +# binee (Binary Emulation Environment) +# Analyze I/O operations of a suspicious PE file by emulating its execution. +# Category: Statically Analyze Code > PE Files +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files + +% binee--binary-emulation-environment + +# Show help for binee (Binary Emulation Environment) +binee (Binary Emulation Environment) --help diff --git a/data/generated/cheatsheets/binee.cheat b/data/generated/cheatsheets/binee.cheat new file mode 100644 index 0000000..a80c2a7 --- /dev/null +++ b/data/generated/cheatsheets/binee.cheat @@ -0,0 +1,7 @@ +# binee +# Installed via: unknown (binee) + +% binee + +# Show help for binee +binee --help diff --git a/data/generated/cheatsheets/binutils.cheat b/data/generated/cheatsheets/binutils.cheat new file mode 100644 index 0000000..4adb257 --- /dev/null +++ b/data/generated/cheatsheets/binutils.cheat @@ -0,0 +1,7 @@ +# binutils +# Installed via: apt (binutils) + +% binutils + +# Show help for binutils +binutils --help diff --git a/data/generated/cheatsheets/binwalk.cheat b/data/generated/cheatsheets/binwalk.cheat new file mode 100644 index 0000000..5337abd --- /dev/null +++ b/data/generated/cheatsheets/binwalk.cheat @@ -0,0 +1,12 @@ +# binwalk +# Analyze and extract embedded files and firmware images +# Sections: 1 +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% firmware, extraction, embedded-files + +# Basic usage +binwalk firmware.bin + +# Alternative usage +binwalk -e firmware.bin diff --git a/data/generated/cheatsheets/box-js.cheat b/data/generated/cheatsheets/box-js.cheat new file mode 100644 index 0000000..0fbd948 --- /dev/null +++ b/data/generated/cheatsheets/box-js.cheat @@ -0,0 +1,9 @@ +# box-js +# JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript APIs +# Sections: 3 +# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + +% javascript, sandbox, emulation + +# Basic usage +box-js --output-dir=/tmp suspicious.js diff --git a/data/generated/cheatsheets/brxor.py.cheat b/data/generated/cheatsheets/brxor.py.cheat new file mode 100644 index 0000000..32f545f --- /dev/null +++ b/data/generated/cheatsheets/brxor.py.cheat @@ -0,0 +1,24 @@ +# brxor.py +# Brute-force XOR key detection for single-byte XOR-encoded strings +# FOR610 Labs: 5.2 | Sections: 5 +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% xor, brute-force, deobfuscation + +# Basic usage +brxor.py specimen.dll + + +# --- Recipes (multi-tool chains) --- + +# >> Brute-Force XOR Key +# Quick check for XOR-encoded URLs/PE headers +XORSearch http: +# Brute-force single-byte XOR keys +brxor.py +# Try XOR, ROL, ADD combinations +bbcrack -l 1 +# Guess multi-byte XOR key length and value +xortool +# Decode with known key +xortool-xor -s '' -i -o diff --git a/data/generated/cheatsheets/build-essential.cheat b/data/generated/cheatsheets/build-essential.cheat new file mode 100644 index 0000000..a5be2ae --- /dev/null +++ b/data/generated/cheatsheets/build-essential.cheat @@ -0,0 +1,7 @@ +# build-essential +# Installed via: apt (build-essential) + +% build-essential + +# Show help for build-essential +build-essential --help diff --git a/data/generated/cheatsheets/bulk-extractor.cheat b/data/generated/cheatsheets/bulk-extractor.cheat new file mode 100644 index 0000000..ca5cbce --- /dev/null +++ b/data/generated/cheatsheets/bulk-extractor.cheat @@ -0,0 +1,9 @@ +# bulk-extractor +# Extract interesting strings from binary files. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% bulk-extractor + +# Show help for bulk-extractor +bulk-extractor --help diff --git a/data/generated/cheatsheets/bundler.cheat b/data/generated/cheatsheets/bundler.cheat new file mode 100644 index 0000000..c401d49 --- /dev/null +++ b/data/generated/cheatsheets/bundler.cheat @@ -0,0 +1,7 @@ +# bundler +# Installed via: apt (bundler) + +% bundler + +# Show help for bundler +bundler --help diff --git a/data/generated/cheatsheets/burp-suite-community-edition.cheat b/data/generated/cheatsheets/burp-suite-community-edition.cheat new file mode 100644 index 0000000..146fb38 --- /dev/null +++ b/data/generated/cheatsheets/burp-suite-community-edition.cheat @@ -0,0 +1,9 @@ +# Burp Suite Community Edition +# Investigate website interactions using this web proxy. +# Category: Explore Network Interactions > Monitoring +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + +% burp-suite-community-edition + +# Show help for Burp Suite Community Edition +Burp Suite Community Edition --help diff --git a/data/generated/cheatsheets/burpsuite-community.cheat b/data/generated/cheatsheets/burpsuite-community.cheat new file mode 100644 index 0000000..dc35603 --- /dev/null +++ b/data/generated/cheatsheets/burpsuite-community.cheat @@ -0,0 +1,7 @@ +# burpsuite-community +# Installed via: apt (remnux-packages-burpsuite-community) + +% burpsuite-community + +# Show help for burpsuite-community +burpsuite-community --help diff --git a/data/generated/cheatsheets/bytehist.cheat b/data/generated/cheatsheets/bytehist.cheat new file mode 100644 index 0000000..d636c56 --- /dev/null +++ b/data/generated/cheatsheets/bytehist.cheat @@ -0,0 +1,9 @@ +# Bytehist +# Generate byte-usage histograms to visually identify packed or encrypted sections in binaries +# Sections: 1, 4 +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking + +% pe, entropy, packing-detection, histogram + +# Basic usage +bytehist specimen.exe diff --git a/data/generated/cheatsheets/cabextract.cheat b/data/generated/cheatsheets/cabextract.cheat new file mode 100644 index 0000000..c115fdf --- /dev/null +++ b/data/generated/cheatsheets/cabextract.cheat @@ -0,0 +1,9 @@ +# cabextract +# Extract Microsoft cabinet (cab) files. +# Category: General Utilities +# Docs: https://docs.remnux.org/discover-the-tools/general+utilities + +% cabextract + +# Show help for cabextract +cabextract --help diff --git a/data/generated/cheatsheets/capa.cheat b/data/generated/cheatsheets/capa.cheat new file mode 100644 index 0000000..21111bd --- /dev/null +++ b/data/generated/cheatsheets/capa.cheat @@ -0,0 +1,28 @@ +# capa +# Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog +# FOR610 Labs: 1.4, 5.4 | Sections: 1, 5 +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files + +% capabilities, mitre-attack, automated-analysis + +# Basic usage +capa specimen.exe + +# Verbose output with details +capa -vv specimen.exe + +# Verbose output with details +capa -vv specimen.exe | grep -A7 'Suspended Process' + + +# --- Recipes (multi-tool chains) --- + +# >> Filter Capabilities by Technique +# Full capabilities report +capa +# Verbose with rule matches +capa -vv +# Filter for specific technique +capa -vv | grep -A7 '' +# Find injection-related capabilities +capa -vv | grep -A7 'inject\|hollow\|suspend' diff --git a/data/generated/cheatsheets/cast.cheat b/data/generated/cheatsheets/cast.cheat new file mode 100644 index 0000000..d229086 --- /dev/null +++ b/data/generated/cheatsheets/cast.cheat @@ -0,0 +1,9 @@ +# cast +# Install and manage SaltStack-based Linux distributions. +# Category: General Utilities +# Docs: https://docs.remnux.org/discover-the-tools/general+utilities + +% cast + +# Show help for cast +cast --help diff --git a/data/generated/cheatsheets/cffi.cheat b/data/generated/cheatsheets/cffi.cheat new file mode 100644 index 0000000..1eb7489 --- /dev/null +++ b/data/generated/cheatsheets/cffi.cheat @@ -0,0 +1,7 @@ +# cffi +# Installed via: pip (remnux-python3-packages-cffi) + +% cffi + +# Show help for cffi +cffi --help diff --git a/data/generated/cheatsheets/cfr.cheat b/data/generated/cheatsheets/cfr.cheat new file mode 100644 index 0000000..71ba22d --- /dev/null +++ b/data/generated/cheatsheets/cfr.cheat @@ -0,0 +1,11 @@ +# cfr +# Modern Java decompiler — handles Java 8+ features including lambdas and try-with-resources +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/java + +% java, decompilation, jar + +# Basic usage +cfr --outputdir output/ + +# Save output to file +cfr diff --git a/data/generated/cheatsheets/chepy.cheat b/data/generated/cheatsheets/chepy.cheat new file mode 100644 index 0000000..28183ca --- /dev/null +++ b/data/generated/cheatsheets/chepy.cheat @@ -0,0 +1,9 @@ +# chepy +# Decode and otherwise analyze data using this command-line tool and Python library. +# Category: Examine Static Properties > Deobfuscation +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% chepy + +# Show help for chepy +chepy --help diff --git a/data/generated/cheatsheets/clamav-daemon.cheat b/data/generated/cheatsheets/clamav-daemon.cheat new file mode 100644 index 0000000..16b23e6 --- /dev/null +++ b/data/generated/cheatsheets/clamav-daemon.cheat @@ -0,0 +1,7 @@ +# clamav-daemon +# Installed via: apt (clamav-daemon) + +% clamav-daemon + +# Show help for clamav-daemon +clamav-daemon --help diff --git a/data/generated/cheatsheets/clamav.cheat b/data/generated/cheatsheets/clamav.cheat new file mode 100644 index 0000000..e1d18ec --- /dev/null +++ b/data/generated/cheatsheets/clamav.cheat @@ -0,0 +1,14 @@ +# ClamAV +# Open-source antivirus — scan files for known malware signatures +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% antivirus, scanning, signatures + +# Basic usage +clamscan + +# Recursive/follow references +clamscan -r / + +# Alternative usage +freshclam diff --git a/data/generated/cheatsheets/cobalt-strike-configuration-extractor--csce--and-parser.cheat b/data/generated/cheatsheets/cobalt-strike-configuration-extractor--csce--and-parser.cheat new file mode 100644 index 0000000..26985cb --- /dev/null +++ b/data/generated/cheatsheets/cobalt-strike-configuration-extractor--csce--and-parser.cheat @@ -0,0 +1,9 @@ +# Cobalt Strike Configuration Extractor (CSCE) and Parser +# Analyze Cobalt Strike beacons. +# Category: Examine Static Properties > Deobfuscation +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% cobalt-strike-configuration-extractor--csce--and-parser + +# Show help for Cobalt Strike Configuration Extractor (CSCE) and Parser +Cobalt Strike Configuration Extractor (CSCE) and Parser --help diff --git a/data/generated/cheatsheets/compatibility.cheat b/data/generated/cheatsheets/compatibility.cheat new file mode 100644 index 0000000..0bfad04 --- /dev/null +++ b/data/generated/cheatsheets/compatibility.cheat @@ -0,0 +1,7 @@ +# compatibility +# Installed via: unknown (compatibility) + +% compatibility + +# Show help for compatibility +compatibility --help diff --git a/data/generated/cheatsheets/cs-analyze-processdump.py.cheat b/data/generated/cheatsheets/cs-analyze-processdump.py.cheat new file mode 100644 index 0000000..62fe787 --- /dev/null +++ b/data/generated/cheatsheets/cs-analyze-processdump.py.cheat @@ -0,0 +1,8 @@ +# cs-analyze-processdump.py +# Analyze Cobalt Strike beacon process dumps for sleep mask encoding +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% cobalt-strike, sleep-mask, memory + +# Basic usage +cs-analyze-processdump.py diff --git a/data/generated/cheatsheets/cs-decrypt-metadata.py.cheat b/data/generated/cheatsheets/cs-decrypt-metadata.py.cheat new file mode 100644 index 0000000..b46c4b7 --- /dev/null +++ b/data/generated/cheatsheets/cs-decrypt-metadata.py.cheat @@ -0,0 +1,8 @@ +# cs-decrypt-metadata.py +# Decrypt Cobalt Strike beacon metadata from network captures +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% cobalt-strike, decryption, metadata + +# Basic usage +cs-decrypt-metadata.py diff --git a/data/generated/cheatsheets/cs-extract-key.py.cheat b/data/generated/cheatsheets/cs-extract-key.py.cheat new file mode 100644 index 0000000..e48cea2 --- /dev/null +++ b/data/generated/cheatsheets/cs-extract-key.py.cheat @@ -0,0 +1,8 @@ +# cs-extract-key.py +# Extract AES and HMAC encryption keys from Cobalt Strike beacon process memory dumps +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% cobalt-strike, encryption, key-extraction + +# Basic usage +cs-extract-key.py -f diff --git a/data/generated/cheatsheets/cs-parse-traffic.py.cheat b/data/generated/cheatsheets/cs-parse-traffic.py.cheat new file mode 100644 index 0000000..071e929 --- /dev/null +++ b/data/generated/cheatsheets/cs-parse-traffic.py.cheat @@ -0,0 +1,8 @@ +# cs-parse-traffic.py +# Decrypt and parse Cobalt Strike beacon network traffic using extracted keys +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + +% cobalt-strike, traffic, decryption + +# Basic usage +cs-parse-traffic.py -f -k diff --git a/data/generated/cheatsheets/curl.cheat b/data/generated/cheatsheets/curl.cheat new file mode 100644 index 0000000..204a897 --- /dev/null +++ b/data/generated/cheatsheets/curl.cheat @@ -0,0 +1,12 @@ +# curl +# Transfer data to/from servers using various protocols +# Sections: 1 +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + +% download, http, transfer + +# Basic usage +curl -L http://example.com + +# Output to file +curl -o output.bin http://example.com/file diff --git a/data/generated/cheatsheets/cut-bytes.py.cheat b/data/generated/cheatsheets/cut-bytes.py.cheat new file mode 100644 index 0000000..9a65932 --- /dev/null +++ b/data/generated/cheatsheets/cut-bytes.py.cheat @@ -0,0 +1,9 @@ +# cut-bytes.py +# Cut out a part of a data stream. +# Category: Examine Static Properties > Deobfuscation +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% cut-bytes.py + +# Show help for cut-bytes.py +cut-bytes.py --help diff --git a/data/generated/cheatsheets/cutter.cheat b/data/generated/cheatsheets/cutter.cheat new file mode 100644 index 0000000..a8deaf1 --- /dev/null +++ b/data/generated/cheatsheets/cutter.cheat @@ -0,0 +1,9 @@ +# Cutter +# Open-source reverse engineering platform — Qt-based GUI for radare2 +# Sections: 2 +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/general + +% disassembly, radare2, open-source + +# Basic usage +cutter specimen.exe diff --git a/data/generated/cheatsheets/cyberchef.cheat b/data/generated/cheatsheets/cyberchef.cheat new file mode 100644 index 0000000..80ab72c --- /dev/null +++ b/data/generated/cheatsheets/cyberchef.cheat @@ -0,0 +1,18 @@ +# CyberChef +# Web-based data transformation tool — decode Base64, XOR, hex, decompress, and chain operations +# FOR610 Labs: 1.5, 3.8, 3.12 | Sections: 1, 3 +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% decoding, encoding, transformation, web-based + +# Basic usage +cyberchef + + +# --- Recipes (multi-tool chains) --- + +# >> Visual XOR/Base64 Decode with CyberChef +# Launch CyberChef +cyberchef +# Common recipe: From Hex → XOR (key) → extract strings +# Common recipe: From Base64 → Decode text UTF-16LE diff --git a/data/generated/cheatsheets/dc3-mwcp.cheat b/data/generated/cheatsheets/dc3-mwcp.cheat new file mode 100644 index 0000000..f80972a --- /dev/null +++ b/data/generated/cheatsheets/dc3-mwcp.cheat @@ -0,0 +1,11 @@ +# dc3-mwcp +# DC3 Malware Configuration Parser — extract C2 configs from known malware families +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% malware, config-extraction, c2 + +# Basic usage +mwcp parse + +# Save output to file +mwcp parse -p Emotet diff --git a/data/generated/cheatsheets/de4dot.cheat b/data/generated/cheatsheets/de4dot.cheat new file mode 100644 index 0000000..ec9866f --- /dev/null +++ b/data/generated/cheatsheets/de4dot.cheat @@ -0,0 +1,21 @@ +# de4dot +# .NET deobfuscator — remove obfuscation from .NET assemblies +# FOR610 Labs: 4.8 | Sections: 4 +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net + +% dotnet, deobfuscation + +# Basic usage +de4dot obfuscated.exe + + +# --- Recipes (multi-tool chains) --- + +# >> Decompile .NET on Command Line +# Decompile to C# source +ilspycmd > source.cs +# Search for suspicious patterns +grep -n 'Assembly.Load\|WebClient\|Process.Start' source.cs +# If obfuscated, deobfuscate first +de4dot +ilspycmd > source_clean.cs diff --git a/data/generated/cheatsheets/decode-vbe.py.cheat b/data/generated/cheatsheets/decode-vbe.py.cheat new file mode 100644 index 0000000..26ae35b --- /dev/null +++ b/data/generated/cheatsheets/decode-vbe.py.cheat @@ -0,0 +1,9 @@ +# decode-vbe.py +# Decode encoded VBS scripts (VBE). +# Category: Statically Analyze Code > Scripts +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts + +% decode-vbe.py + +# Show help for decode-vbe.py +decode-vbe.py --help diff --git a/data/generated/cheatsheets/decompyle.cheat b/data/generated/cheatsheets/decompyle.cheat new file mode 100644 index 0000000..46edbf7 --- /dev/null +++ b/data/generated/cheatsheets/decompyle.cheat @@ -0,0 +1,9 @@ +# Decompyle++ +# Python bytecode disassembler and decompiler. +# Category: Statically Analyze Code > Python +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/python + +% decompyle + +# Show help for Decompyle++ +Decompyle++ --help diff --git a/data/generated/cheatsheets/default-jdk.cheat b/data/generated/cheatsheets/default-jdk.cheat new file mode 100644 index 0000000..2df941c --- /dev/null +++ b/data/generated/cheatsheets/default-jdk.cheat @@ -0,0 +1,7 @@ +# default-jdk +# Installed via: apt (default-jdk) + +% default-jdk + +# Show help for default-jdk +default-jdk --help diff --git a/data/generated/cheatsheets/default-jre.cheat b/data/generated/cheatsheets/default-jre.cheat new file mode 100644 index 0000000..4299583 --- /dev/null +++ b/data/generated/cheatsheets/default-jre.cheat @@ -0,0 +1,7 @@ +# default-jre +# Installed via: apt (default-jre) + +% default-jre + +# Show help for default-jre +default-jre --help diff --git a/data/generated/cheatsheets/dex2jar.cheat b/data/generated/cheatsheets/dex2jar.cheat new file mode 100644 index 0000000..aebb82b --- /dev/null +++ b/data/generated/cheatsheets/dex2jar.cheat @@ -0,0 +1,9 @@ +# dex2jar +# Examine Dalvik Executable (dex) files. +# Category: Statically Analyze Code > Android +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + +% dex2jar + +# Show help for dex2jar +dex2jar --help diff --git a/data/generated/cheatsheets/dexray.cheat b/data/generated/cheatsheets/dexray.cheat new file mode 100644 index 0000000..39d2348 --- /dev/null +++ b/data/generated/cheatsheets/dexray.cheat @@ -0,0 +1,9 @@ +# dexray +# Extract and decode data from antivirus quarantine files. +# Category: Gather and Analyze Data +# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + +% dexray + +# Show help for dexray +dexray --help diff --git a/data/generated/cheatsheets/dialog.cheat b/data/generated/cheatsheets/dialog.cheat new file mode 100644 index 0000000..858d9bd --- /dev/null +++ b/data/generated/cheatsheets/dialog.cheat @@ -0,0 +1,7 @@ +# dialog +# Installed via: apt (dialog) + +% dialog + +# Show help for dialog +dialog --help diff --git a/data/generated/cheatsheets/didier-stevens-scripts.cheat b/data/generated/cheatsheets/didier-stevens-scripts.cheat new file mode 100644 index 0000000..222abcf --- /dev/null +++ b/data/generated/cheatsheets/didier-stevens-scripts.cheat @@ -0,0 +1,7 @@ +# didier-stevens-scripts +# Installed via: pip (remnux-python3-packages-dissect-fusepy-prereq) + +% didier-stevens-scripts + +# Show help for didier-stevens-scripts +didier-stevens-scripts --help diff --git a/data/generated/cheatsheets/diec.cheat b/data/generated/cheatsheets/diec.cheat new file mode 100644 index 0000000..c31a046 --- /dev/null +++ b/data/generated/cheatsheets/diec.cheat @@ -0,0 +1,9 @@ +# diec +# Detect packers, compilers, and tools used to create executables +# FOR610 Labs: 4.1 | Sections: 1, 4 +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% pe, packer-detection, compiler-detection + +# Basic usage +diec specimen.exe diff --git a/data/generated/cheatsheets/disitool.cheat b/data/generated/cheatsheets/disitool.cheat new file mode 100644 index 0000000..35a6898 --- /dev/null +++ b/data/generated/cheatsheets/disitool.cheat @@ -0,0 +1,9 @@ +# disitool +# Manipulate embedded digital signatures. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% disitool + +# Show help for disitool +disitool --help diff --git a/data/generated/cheatsheets/display.cheat b/data/generated/cheatsheets/display.cheat new file mode 100644 index 0000000..6bf6c04 --- /dev/null +++ b/data/generated/cheatsheets/display.cheat @@ -0,0 +1,7 @@ +# display +# Installed via: unknown (set-scaling) + +% display + +# Show help for display +display --help diff --git a/data/generated/cheatsheets/dissect.cheat b/data/generated/cheatsheets/dissect.cheat new file mode 100644 index 0000000..972b66a --- /dev/null +++ b/data/generated/cheatsheets/dissect.cheat @@ -0,0 +1,9 @@ +# dissect +# Perform a variety of forensics and incident response tasks using this DFIR framework and toolset. +# Category: Gather and Analyze Data +# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + +% dissect + +# Show help for dissect +dissect --help diff --git a/data/generated/cheatsheets/distro-info.cheat b/data/generated/cheatsheets/distro-info.cheat new file mode 100644 index 0000000..03a9a07 --- /dev/null +++ b/data/generated/cheatsheets/distro-info.cheat @@ -0,0 +1,7 @@ +# distro-info +# Installed via: pip (distro-info) + +% distro-info + +# Show help for distro-info +distro-info --help diff --git a/data/generated/cheatsheets/dllcharacteristics.cheat b/data/generated/cheatsheets/dllcharacteristics.cheat new file mode 100644 index 0000000..acf8149 --- /dev/null +++ b/data/generated/cheatsheets/dllcharacteristics.cheat @@ -0,0 +1,7 @@ +# dllcharacteristics +# Installed via: script (dllcharacteristics.py) + +% dllcharacteristics + +# Show help for dllcharacteristics +dllcharacteristics --help diff --git a/data/generated/cheatsheets/dnfile.cheat b/data/generated/cheatsheets/dnfile.cheat new file mode 100644 index 0000000..9fd430f --- /dev/null +++ b/data/generated/cheatsheets/dnfile.cheat @@ -0,0 +1,9 @@ +# dnfile +# Analyze static properties of. +# Category: Examine Static Properties > .NET +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/.net + +% dnfile + +# Show help for dnfile +dnfile --help diff --git a/data/generated/cheatsheets/dnslib.cheat b/data/generated/cheatsheets/dnslib.cheat new file mode 100644 index 0000000..bde7292 --- /dev/null +++ b/data/generated/cheatsheets/dnslib.cheat @@ -0,0 +1,9 @@ +# dnslib +# Python library to encode/decode DNS wire-format packets. +# Category: Gather and Analyze Data +# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + +% dnslib + +# Show help for dnslib +dnslib --help diff --git a/data/generated/cheatsheets/dnsresolver.py.cheat b/data/generated/cheatsheets/dnsresolver.py.cheat new file mode 100644 index 0000000..4aa5418 --- /dev/null +++ b/data/generated/cheatsheets/dnsresolver.py.cheat @@ -0,0 +1,9 @@ +# dnsresolver.py +# DNS resolver tool for dynamic analysis with wildcard and tracking support. +# Category: Explore Network Interactions > Services +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + +% dnsresolver.py + +# Show help for dnsresolver.py +dnsresolver.py --help diff --git a/data/generated/cheatsheets/docker.cheat b/data/generated/cheatsheets/docker.cheat new file mode 100644 index 0000000..ccea270 --- /dev/null +++ b/data/generated/cheatsheets/docker.cheat @@ -0,0 +1,9 @@ +# docker +# Run and manage containers. +# Category: General Utilities +# Docs: https://docs.remnux.org/discover-the-tools/general+utilities + +% docker + +# Show help for docker +docker --help diff --git a/data/generated/cheatsheets/dog.cheat b/data/generated/cheatsheets/dog.cheat new file mode 100644 index 0000000..259e5c6 --- /dev/null +++ b/data/generated/cheatsheets/dog.cheat @@ -0,0 +1,7 @@ +# dog +# Installed via: unknown (dog) + +% dog + +# Show help for dog +dog --help diff --git a/data/generated/cheatsheets/dos2unix.cheat b/data/generated/cheatsheets/dos2unix.cheat new file mode 100644 index 0000000..fd037b4 --- /dev/null +++ b/data/generated/cheatsheets/dos2unix.cheat @@ -0,0 +1,9 @@ +# dos2unix +# Convert text files with Windows or macOS line breaks to Unix line breaks and vice versa. +# Category: View or Edit Files +# Docs: https://docs.remnux.org/discover-the-tools/view+or+edit+files + +% dos2unix + +# Show help for dos2unix +dos2unix --help diff --git a/data/generated/cheatsheets/dot-cache.cheat b/data/generated/cheatsheets/dot-cache.cheat new file mode 100644 index 0000000..8b0d957 --- /dev/null +++ b/data/generated/cheatsheets/dot-cache.cheat @@ -0,0 +1,7 @@ +# dot-cache +# Installed via: unknown (dot-cache) + +% dot-cache + +# Show help for dot-cache +dot-cache --help diff --git a/data/generated/cheatsheets/dot-config.cheat b/data/generated/cheatsheets/dot-config.cheat new file mode 100644 index 0000000..f33d41d --- /dev/null +++ b/data/generated/cheatsheets/dot-config.cheat @@ -0,0 +1,7 @@ +# dot-config +# Installed via: unknown (dot-config) + +% dot-config + +# Show help for dot-config +dot-config --help diff --git a/data/generated/cheatsheets/dot-cpan.cheat b/data/generated/cheatsheets/dot-cpan.cheat new file mode 100644 index 0000000..bbcfc48 --- /dev/null +++ b/data/generated/cheatsheets/dot-cpan.cheat @@ -0,0 +1,7 @@ +# dot-cpan +# Installed via: unknown (dot-cpan) + +% dot-cpan + +# Show help for dot-cpan +dot-cpan --help diff --git a/data/generated/cheatsheets/dot-dbus.cheat b/data/generated/cheatsheets/dot-dbus.cheat new file mode 100644 index 0000000..e38ca3b --- /dev/null +++ b/data/generated/cheatsheets/dot-dbus.cheat @@ -0,0 +1,7 @@ +# dot-dbus +# Installed via: unknown (dot-dbus) + +% dot-dbus + +# Show help for dot-dbus +dot-dbus --help diff --git a/data/generated/cheatsheets/dot-local.cheat b/data/generated/cheatsheets/dot-local.cheat new file mode 100644 index 0000000..5e2b923 --- /dev/null +++ b/data/generated/cheatsheets/dot-local.cheat @@ -0,0 +1,7 @@ +# dot-local +# Installed via: unknown (dot-local) + +% dot-local + +# Show help for dot-local +dot-local --help diff --git a/data/generated/cheatsheets/dotnet-runtime-3-1.cheat b/data/generated/cheatsheets/dotnet-runtime-3-1.cheat new file mode 100644 index 0000000..ea976c8 --- /dev/null +++ b/data/generated/cheatsheets/dotnet-runtime-3-1.cheat @@ -0,0 +1,7 @@ +# dotnet-runtime-3-1 +# Installed via: apt (dotnet3) + +% dotnet-runtime-3-1 + +# Show help for dotnet-runtime-3-1 +dotnet-runtime-3-1 --help diff --git a/data/generated/cheatsheets/dotnetfile.cheat b/data/generated/cheatsheets/dotnetfile.cheat new file mode 100644 index 0000000..bf55f05 --- /dev/null +++ b/data/generated/cheatsheets/dotnetfile.cheat @@ -0,0 +1,9 @@ +# dotnetfile +# Analyze static properties of. +# Category: Examine Static Properties > .NET +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/.net + +% dotnetfile + +# Show help for dotnetfile +dotnetfile --help diff --git a/data/generated/cheatsheets/droidlysis.cheat b/data/generated/cheatsheets/droidlysis.cheat new file mode 100644 index 0000000..f370b65 --- /dev/null +++ b/data/generated/cheatsheets/droidlysis.cheat @@ -0,0 +1,9 @@ +# droidlysis +# Perform static analysis of Android applications. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% droidlysis + +# Show help for droidlysis +droidlysis --help diff --git a/data/generated/cheatsheets/edb-debugger.cheat b/data/generated/cheatsheets/edb-debugger.cheat new file mode 100644 index 0000000..0f13b6f --- /dev/null +++ b/data/generated/cheatsheets/edb-debugger.cheat @@ -0,0 +1,7 @@ +# edb-debugger +# Installed via: apt (edb-debugger) + +% edb-debugger + +# Show help for edb-debugger +edb-debugger --help diff --git a/data/generated/cheatsheets/emldump.py.cheat b/data/generated/cheatsheets/emldump.py.cheat new file mode 100644 index 0000000..59bce6b --- /dev/null +++ b/data/generated/cheatsheets/emldump.py.cheat @@ -0,0 +1,22 @@ +# emldump.py +# Parse and analyze EML email message files +# Sections: 3 | Author: Didier Stevens +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages + +% email, eml, didier-stevens + +# Basic usage +emldump.py message.eml + + +# --- Recipes (multi-tool chains) --- + +# >> Extract and Triage Email Attachments +# List email structure +emldump.py +# Extract all attachments +emldump.py -d +# Identify file types +file attachment_* +# Compute hashes for lookup +sha256sum attachment_* diff --git a/data/generated/cheatsheets/enchant.cheat b/data/generated/cheatsheets/enchant.cheat new file mode 100644 index 0000000..a621053 --- /dev/null +++ b/data/generated/cheatsheets/enchant.cheat @@ -0,0 +1,7 @@ +# enchant +# Installed via: apt (remnux-packages-enchant) + +% enchant + +# Show help for enchant +enchant --help diff --git a/data/generated/cheatsheets/epic-irc-client.cheat b/data/generated/cheatsheets/epic-irc-client.cheat new file mode 100644 index 0000000..7c0387c --- /dev/null +++ b/data/generated/cheatsheets/epic-irc-client.cheat @@ -0,0 +1,9 @@ +# EPIC IRC Client +# Examine IRC activities with this IRC client. +# Category: Explore Network Interactions > Connecting +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + +% epic-irc-client + +# Show help for EPIC IRC Client +EPIC IRC Client --help diff --git a/data/generated/cheatsheets/epic5.cheat b/data/generated/cheatsheets/epic5.cheat new file mode 100644 index 0000000..dee203c --- /dev/null +++ b/data/generated/cheatsheets/epic5.cheat @@ -0,0 +1,7 @@ +# epic5 +# Installed via: apt (epic5) + +% epic5 + +# Show help for epic5 +epic5 --help diff --git a/data/generated/cheatsheets/evilclippy.cheat b/data/generated/cheatsheets/evilclippy.cheat new file mode 100644 index 0000000..5cefcb7 --- /dev/null +++ b/data/generated/cheatsheets/evilclippy.cheat @@ -0,0 +1,9 @@ +# evilclippy +# Remove VBA project password protection and manipulate Office macro settings +# Sections: 3 +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + +% office, vba, password-removal + +# Basic usage +evilclippy -uu document.docm diff --git a/data/generated/cheatsheets/evince.cheat b/data/generated/cheatsheets/evince.cheat new file mode 100644 index 0000000..27ec3a3 --- /dev/null +++ b/data/generated/cheatsheets/evince.cheat @@ -0,0 +1,9 @@ +# evince +# View documents in a variety of formats, including PDF. +# Category: View or Edit Files +# Docs: https://docs.remnux.org/discover-the-tools/view+or+edit+files + +% evince + +# Show help for evince +evince --help diff --git a/data/generated/cheatsheets/ex-pe-xor.cheat b/data/generated/cheatsheets/ex-pe-xor.cheat new file mode 100644 index 0000000..689b86b --- /dev/null +++ b/data/generated/cheatsheets/ex-pe-xor.cheat @@ -0,0 +1,9 @@ +# ex-pe-xor +# Search an XOR'ed file for indications of executable binaries. +# Category: Examine Static Properties > Deobfuscation +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% ex-pe-xor + +# Show help for ex-pe-xor +ex-pe-xor --help diff --git a/data/generated/cheatsheets/exfat-utils.cheat b/data/generated/cheatsheets/exfat-utils.cheat new file mode 100644 index 0000000..52d34ca --- /dev/null +++ b/data/generated/cheatsheets/exfat-utils.cheat @@ -0,0 +1,7 @@ +# exfat-utils +# Installed via: apt (remnux-packages-exfat-utils) + +% exfat-utils + +# Show help for exfat-utils +exfat-utils --help diff --git a/data/generated/cheatsheets/exiftool.cheat b/data/generated/cheatsheets/exiftool.cheat new file mode 100644 index 0000000..926539d --- /dev/null +++ b/data/generated/cheatsheets/exiftool.cheat @@ -0,0 +1,12 @@ +# exiftool +# Extract metadata from files (PDF, images, documents, executables) +# Sections: 1 +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% metadata, triage + +# Basic usage +exiftool document.pdf + +# Alternative usage +exiftool specimen.exe diff --git a/data/generated/cheatsheets/fakedns.cheat b/data/generated/cheatsheets/fakedns.cheat new file mode 100644 index 0000000..29aac9f --- /dev/null +++ b/data/generated/cheatsheets/fakedns.cheat @@ -0,0 +1,23 @@ +# fakedns +# Fake DNS server that resolves all queries to a specified IP for traffic interception +# FOR610 Labs: 1.3, 1.6, 1.7, 1.8 | Sections: 1 +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + +% dns, spoofing, interception, lab-setup + +# Basic usage +fakedns + + +# --- Recipes (multi-tool chains) --- + +# >> Set Up DNS + HTTP Interception +# Option A: Simple DNS + HTTP +fakedns & +httpd & +# Option B: Full service emulation (HTTP, HTTPS, DNS, FTP, SMTP) +inetsim +# Verify DNS is working +nslookup anything.com +# Redirect hardcoded IPs too +iptables -t nat -A PREROUTING -i eth0 -j REDIRECT diff --git a/data/generated/cheatsheets/fakemail.cheat b/data/generated/cheatsheets/fakemail.cheat new file mode 100644 index 0000000..0e34b70 --- /dev/null +++ b/data/generated/cheatsheets/fakemail.cheat @@ -0,0 +1,9 @@ +# fakemail +# Intercept and examine SMTP email activity with this fake SMTP server. +# Category: Explore Network Interactions > Services +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + +% fakemail + +# Show help for fakemail +fakemail --help diff --git a/data/generated/cheatsheets/fakenet-ng.cheat b/data/generated/cheatsheets/fakenet-ng.cheat new file mode 100644 index 0000000..cfaa5d2 --- /dev/null +++ b/data/generated/cheatsheets/fakenet-ng.cheat @@ -0,0 +1,11 @@ +# fakenet-ng +# Emulate network services (HTTP, DNS, SMTP, FTP) to intercept and analyze malware traffic dynamically +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + +% network, emulation, dynamic-analysis, c2 + +# Basic usage +fakenet + +# Alternative usage +fakenet -c custom_config.ini diff --git a/data/generated/cheatsheets/feh.cheat b/data/generated/cheatsheets/feh.cheat new file mode 100644 index 0000000..8ae88bd --- /dev/null +++ b/data/generated/cheatsheets/feh.cheat @@ -0,0 +1,24 @@ +# feh +# Lightweight image viewer for viewing extracted images from documents +# FOR610 Labs: 3.1 | Sections: 3 +# Docs: https://docs.remnux.org/discover-the-tools/view+or+edit+files + +% image-viewer + +# Basic usage +feh extracted_image.jpg + + +# --- Recipes (multi-tool chains) --- + +# >> Extract Embedded Object from PDF +# Scan for suspicious keywords +pdfid.py +# Find objects containing the keyword +pdf-parser.py -s /URI +# Extract all values for that keyword +pdf-parser.py -k /URI +# Dump a specific object to file +pdf-parser.py -o -d extracted_object +# View extracted image +feh extracted_object & diff --git a/data/generated/cheatsheets/file-magic.py.cheat b/data/generated/cheatsheets/file-magic.py.cheat new file mode 100644 index 0000000..6320e57 --- /dev/null +++ b/data/generated/cheatsheets/file-magic.py.cheat @@ -0,0 +1,9 @@ +# file-magic.py +# Identify file types using the Python magic module. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% file-magic.py + +# Show help for file-magic.py +file-magic.py --help diff --git a/data/generated/cheatsheets/file.cheat b/data/generated/cheatsheets/file.cheat new file mode 100644 index 0000000..1431884 --- /dev/null +++ b/data/generated/cheatsheets/file.cheat @@ -0,0 +1,25 @@ +# file +# Determine file type and MIME type using magic bytes +# FOR610 Labs: 3.4, 3.5 | Sections: 3 +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% file-identification, triage + +# Basic usage +file specimen.exe + +# Alternative usage +file document.doc + + +# --- Recipes (multi-tool chains) --- + +# >> Extract and Triage Email Attachments +# List email structure +emldump.py +# Extract all attachments +emldump.py -d +# Identify file types +file attachment_* +# Compute hashes for lookup +sha256sum attachment_* diff --git a/data/generated/cheatsheets/firefox.cheat b/data/generated/cheatsheets/firefox.cheat new file mode 100644 index 0000000..c644d66 --- /dev/null +++ b/data/generated/cheatsheets/firefox.cheat @@ -0,0 +1,9 @@ +# firefox +# Web browser. +# Category: General Utilities +# Docs: https://docs.remnux.org/discover-the-tools/general+utilities + +% firefox + +# Show help for firefox +firefox --help diff --git a/data/generated/cheatsheets/flare-floss.cheat b/data/generated/cheatsheets/flare-floss.cheat new file mode 100644 index 0000000..15a4760 --- /dev/null +++ b/data/generated/cheatsheets/flare-floss.cheat @@ -0,0 +1,7 @@ +# flare-floss +# Installed via: apt (remnux-packages-flare-floss) + +% flare-floss + +# Show help for flare-floss +flare-floss --help diff --git a/data/generated/cheatsheets/flex.cheat b/data/generated/cheatsheets/flex.cheat new file mode 100644 index 0000000..dc46fc3 --- /dev/null +++ b/data/generated/cheatsheets/flex.cheat @@ -0,0 +1,7 @@ +# flex +# Installed via: apt (flex) + +% flex + +# Show help for flex +flex --help diff --git a/data/generated/cheatsheets/floss.cheat b/data/generated/cheatsheets/floss.cheat new file mode 100644 index 0000000..aae59aa --- /dev/null +++ b/data/generated/cheatsheets/floss.cheat @@ -0,0 +1,26 @@ +# FLOSS +# Automatically extract obfuscated strings from malware using static analysis, stack strings, and emulation +# FOR610 Labs: 5.2, 5.3 | Sections: 5 +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% strings, deobfuscation, automated + +# Basic usage +floss specimen.exe + +# Save output to file +floss specimen.exe > strings-output.txt + +# Skip static analysis, focus on dynamic +floss --no-static -- specimen.exe + + +# --- Recipes (multi-tool chains) --- + +# >> Extract Stack-Built Strings +# Automatic stack string recovery +strdeob.pl +# FLOSS automatic deobfuscation (static + stack + decoded) +floss +# FLOSS skip static strings, only show decoded +floss --no-static -- diff --git a/data/generated/cheatsheets/format-bytes.py.cheat b/data/generated/cheatsheets/format-bytes.py.cheat new file mode 100644 index 0000000..94d24c3 --- /dev/null +++ b/data/generated/cheatsheets/format-bytes.py.cheat @@ -0,0 +1,9 @@ +# format-bytes.py +# Decompose structured binary data with format strings. +# Category: Examine Static Properties > Deobfuscation +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% format-bytes.py + +# Show help for format-bytes.py +format-bytes.py --help diff --git a/data/generated/cheatsheets/frida.cheat b/data/generated/cheatsheets/frida.cheat new file mode 100644 index 0000000..964d081 --- /dev/null +++ b/data/generated/cheatsheets/frida.cheat @@ -0,0 +1,14 @@ +# Frida +# Dynamic instrumentation toolkit — hook and trace running processes, intercept function calls in real time +# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general + +% dynamic, instrumentation, hooking, tracing + +# Basic usage +frida -l hook.js + +# Case-insensitive search +frida-trace -i 'recv*' + +# Alternative usage +frida-ps -U diff --git a/data/generated/cheatsheets/galculator.cheat b/data/generated/cheatsheets/galculator.cheat new file mode 100644 index 0000000..a0a06fb --- /dev/null +++ b/data/generated/cheatsheets/galculator.cheat @@ -0,0 +1,7 @@ +# galculator +# Installed via: apt (galculator) + +% galculator + +# Show help for galculator +galculator --help diff --git a/data/generated/cheatsheets/gdb.cheat b/data/generated/cheatsheets/gdb.cheat new file mode 100644 index 0000000..64faafe --- /dev/null +++ b/data/generated/cheatsheets/gdb.cheat @@ -0,0 +1,7 @@ +# gdb +# Installed via: apt (gdb) + +% gdb + +# Show help for gdb +gdb --help diff --git a/data/generated/cheatsheets/gdm3.cheat b/data/generated/cheatsheets/gdm3.cheat new file mode 100644 index 0000000..2124339 --- /dev/null +++ b/data/generated/cheatsheets/gdm3.cheat @@ -0,0 +1,7 @@ +# gdm3 +# Installed via: unknown (gdm3) + +% gdm3 + +# Show help for gdm3 +gdm3 --help diff --git a/data/generated/cheatsheets/ghidra.cheat b/data/generated/cheatsheets/ghidra.cheat new file mode 100644 index 0000000..83350cb --- /dev/null +++ b/data/generated/cheatsheets/ghidra.cheat @@ -0,0 +1,9 @@ +# Ghidra +# Open-source disassembler and decompiler from NSA with scripting, function graphs, and data type management +# FOR610 Labs: 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 4.9, 5.2, 5.4, 5.5, 5.6, 5.7, 5.9 | Sections: 2, 4, 5 +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/general + +% disassembly, decompilation, code-analysis, function-graph + +# Basic usage +ghidra diff --git a/data/generated/cheatsheets/ghidrassistmcp.cheat b/data/generated/cheatsheets/ghidrassistmcp.cheat new file mode 100644 index 0000000..b845b7a --- /dev/null +++ b/data/generated/cheatsheets/ghidrassistmcp.cheat @@ -0,0 +1,9 @@ +# GhidrAssistMCP +# MCP server for AI-assisted reverse engineering in Ghidra. +# Category: Use Artificial Intelligence +# Docs: https://docs.remnux.org/discover-the-tools/use+artificial+intelligence + +% ghidrassistmcp + +# Show help for GhidrAssistMCP +GhidrAssistMCP --help diff --git a/data/generated/cheatsheets/gift.cheat b/data/generated/cheatsheets/gift.cheat new file mode 100644 index 0000000..7dd0bda --- /dev/null +++ b/data/generated/cheatsheets/gift.cheat @@ -0,0 +1,7 @@ +# gift +# Installed via: unknown (gift) + +% gift + +# Show help for gift +gift --help diff --git a/data/generated/cheatsheets/git.cheat b/data/generated/cheatsheets/git.cheat new file mode 100644 index 0000000..19b515f --- /dev/null +++ b/data/generated/cheatsheets/git.cheat @@ -0,0 +1,7 @@ +# git +# Installed via: apt (git) + +% git + +# Show help for git +git --help diff --git a/data/generated/cheatsheets/gnome-calculator.cheat b/data/generated/cheatsheets/gnome-calculator.cheat new file mode 100644 index 0000000..af0a426 --- /dev/null +++ b/data/generated/cheatsheets/gnome-calculator.cheat @@ -0,0 +1,9 @@ +# GNOME Calculator +# Calculator. +# Category: General Utilities +# Docs: https://docs.remnux.org/discover-the-tools/general+utilities + +% gnome-calculator + +# Show help for GNOME Calculator +GNOME Calculator --help diff --git a/data/generated/cheatsheets/gnome-session.cheat b/data/generated/cheatsheets/gnome-session.cheat new file mode 100644 index 0000000..3b281d9 --- /dev/null +++ b/data/generated/cheatsheets/gnome-session.cheat @@ -0,0 +1,7 @@ +# gnome-session +# Installed via: unknown (gnome-session) + +% gnome-session + +# Show help for gnome-session +gnome-session --help diff --git a/data/generated/cheatsheets/gnome-shell-extensions.cheat b/data/generated/cheatsheets/gnome-shell-extensions.cheat new file mode 100644 index 0000000..66acf4a --- /dev/null +++ b/data/generated/cheatsheets/gnome-shell-extensions.cheat @@ -0,0 +1,7 @@ +# gnome-shell-extensions +# Installed via: unknown (gnome-shell-extensions) + +% gnome-shell-extensions + +# Show help for gnome-shell-extensions +gnome-shell-extensions --help diff --git a/data/generated/cheatsheets/gnome-terminal.cheat b/data/generated/cheatsheets/gnome-terminal.cheat new file mode 100644 index 0000000..e47a4d9 --- /dev/null +++ b/data/generated/cheatsheets/gnome-terminal.cheat @@ -0,0 +1,7 @@ +# gnome-terminal +# Installed via: unknown (gnome-terminal) + +% gnome-terminal + +# Show help for gnome-terminal +gnome-terminal --help diff --git a/data/generated/cheatsheets/gnome-tweaks.cheat b/data/generated/cheatsheets/gnome-tweaks.cheat new file mode 100644 index 0000000..6477fb6 --- /dev/null +++ b/data/generated/cheatsheets/gnome-tweaks.cheat @@ -0,0 +1,7 @@ +# gnome-tweaks +# Installed via: unknown (gnome-tweaks) + +% gnome-tweaks + +# Show help for gnome-tweaks +gnome-tweaks --help diff --git a/data/generated/cheatsheets/gnu-wget.cheat b/data/generated/cheatsheets/gnu-wget.cheat new file mode 100644 index 0000000..421a8fe --- /dev/null +++ b/data/generated/cheatsheets/gnu-wget.cheat @@ -0,0 +1,9 @@ +# GNU Wget +# Interact with servers via HTTP, HTTPS, FTP, and FTPS using this command-line tool. +# Category: Explore Network Interactions > Connecting +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + +% gnu-wget + +# Show help for GNU Wget +GNU Wget --help diff --git a/data/generated/cheatsheets/gnutls-bin.cheat b/data/generated/cheatsheets/gnutls-bin.cheat new file mode 100644 index 0000000..c98406d --- /dev/null +++ b/data/generated/cheatsheets/gnutls-bin.cheat @@ -0,0 +1,7 @@ +# gnutls-bin +# Installed via: apt (gnutls-bin) + +% gnutls-bin + +# Show help for gnutls-bin +gnutls-bin --help diff --git a/data/generated/cheatsheets/goresym.cheat b/data/generated/cheatsheets/goresym.cheat new file mode 100644 index 0000000..9cf810a --- /dev/null +++ b/data/generated/cheatsheets/goresym.cheat @@ -0,0 +1,9 @@ +# goresym +# Extract metadata and symbols from Go binaries, including stripped ones. +# Category: Examine Static Properties > Go +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/go + +% goresym + +# Show help for goresym +goresym --help diff --git a/data/generated/cheatsheets/graphviz.cheat b/data/generated/cheatsheets/graphviz.cheat new file mode 100644 index 0000000..300327f --- /dev/null +++ b/data/generated/cheatsheets/graphviz.cheat @@ -0,0 +1,7 @@ +# graphviz +# Installed via: apt (graphviz) + +% graphviz + +# Show help for graphviz +graphviz --help diff --git a/data/generated/cheatsheets/grub-kvm.cheat b/data/generated/cheatsheets/grub-kvm.cheat new file mode 100644 index 0000000..0a6a082 --- /dev/null +++ b/data/generated/cheatsheets/grub-kvm.cheat @@ -0,0 +1,7 @@ +# grub-kvm +# Installed via: unknown (update-grub) + +% grub-kvm + +# Show help for grub-kvm +grub-kvm --help diff --git a/data/generated/cheatsheets/guest-tools.cheat b/data/generated/cheatsheets/guest-tools.cheat new file mode 100644 index 0000000..2907f34 --- /dev/null +++ b/data/generated/cheatsheets/guest-tools.cheat @@ -0,0 +1,7 @@ +# guest-tools +# Installed via: manual (open-vm-tools-desktop) + +% guest-tools + +# Show help for guest-tools +guest-tools --help diff --git a/data/generated/cheatsheets/gunzip.cheat b/data/generated/cheatsheets/gunzip.cheat new file mode 100644 index 0000000..1ddfc68 --- /dev/null +++ b/data/generated/cheatsheets/gunzip.cheat @@ -0,0 +1,30 @@ +# gunzip +# Decompress gzip-compressed data (often used in multi-stage payload extraction) +# FOR610 Labs: 3.4 | Sections: 3 + +% compression, extraction + +# Basic usage +gunzip -c compressed.gz > output.bin + + +# --- Recipes (multi-tool chains) --- + +# >> Decode Base64 + Gzip Payload +# Find Base64 strings in the script +base64dump.py -n 10 +# Decode Base64 and decompress gzip in one chain +base64dump.py -s -d | gunzip > decoded.ps1 + +# >> Full Office Macro Decode Chain +# Step 1: List streams and extract VBA +oledump.py +oledump.py -s -v +# Step 2: Extract Base64 from data stream +oledump.py -s -d | base64dump.py -s 1 -d > stage1.ps1 +# Step 3: Decode second Base64 layer + decompress +base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1 +# Step 4: XOR decode the shellcode +base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin +# Step 5: Emulate the shellcode +scdbgc /f shellcode.bin /s -1 diff --git a/data/generated/cheatsheets/hachoir.cheat b/data/generated/cheatsheets/hachoir.cheat new file mode 100644 index 0000000..ab70d37 --- /dev/null +++ b/data/generated/cheatsheets/hachoir.cheat @@ -0,0 +1,9 @@ +# Hachoir +# View, edit, and carve contents of various binary file types. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% hachoir + +# Show help for Hachoir +Hachoir --help diff --git a/data/generated/cheatsheets/hash-id.cheat b/data/generated/cheatsheets/hash-id.cheat new file mode 100644 index 0000000..3ba1dea --- /dev/null +++ b/data/generated/cheatsheets/hash-id.cheat @@ -0,0 +1,9 @@ +# Hash ID +# Identify different types of hashes. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% hash-id + +# Show help for Hash ID +Hash ID --help diff --git a/data/generated/cheatsheets/hex-to-bin.py.cheat b/data/generated/cheatsheets/hex-to-bin.py.cheat new file mode 100644 index 0000000..19ca379 --- /dev/null +++ b/data/generated/cheatsheets/hex-to-bin.py.cheat @@ -0,0 +1,9 @@ +# hex-to-bin.py +# Convert hexadecimal text dumps to binary data. +# Category: Examine Static Properties > Deobfuscation +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% hex-to-bin.py + +# Show help for hex-to-bin.py +hex-to-bin.py --help diff --git a/data/generated/cheatsheets/hexdump.cheat b/data/generated/cheatsheets/hexdump.cheat new file mode 100644 index 0000000..8b07458 --- /dev/null +++ b/data/generated/cheatsheets/hexdump.cheat @@ -0,0 +1,8 @@ +# hexdump +# Display file content in hexadecimal format +# Sections: 1 + +% hex, binary-viewing + +# Basic usage +hexdump -C binary.dat diff --git a/data/generated/cheatsheets/httpd.cheat b/data/generated/cheatsheets/httpd.cheat new file mode 100644 index 0000000..da5ad2d --- /dev/null +++ b/data/generated/cheatsheets/httpd.cheat @@ -0,0 +1,23 @@ +# httpd +# Simple HTTP server on REMnux for simulating C2 web servers +# FOR610 Labs: 1.3, 1.6, 1.8 | Sections: 1 +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + +% http, web-server, c2-simulation, lab-setup + +# Basic usage +httpd + + +# --- Recipes (multi-tool chains) --- + +# >> Set Up DNS + HTTP Interception +# Option A: Simple DNS + HTTP +fakedns & +httpd & +# Option B: Full service emulation (HTTP, HTTPS, DNS, FTP, SMTP) +inetsim +# Verify DNS is working +nslookup anything.com +# Redirect hardcoded IPs too +iptables -t nat -A PREROUTING -i eth0 -j REDIRECT diff --git a/data/generated/cheatsheets/i386-architecture.cheat b/data/generated/cheatsheets/i386-architecture.cheat new file mode 100644 index 0000000..78c5fee --- /dev/null +++ b/data/generated/cheatsheets/i386-architecture.cheat @@ -0,0 +1,7 @@ +# i386-architecture +# Installed via: apt (libc6) + +% i386-architecture + +# Show help for i386-architecture +i386-architecture --help diff --git a/data/generated/cheatsheets/ibus.cheat b/data/generated/cheatsheets/ibus.cheat new file mode 100644 index 0000000..78fa94d --- /dev/null +++ b/data/generated/cheatsheets/ibus.cheat @@ -0,0 +1,9 @@ +# ibus +# Adjust input methods for the GUI. +# Category: General Utilities +# Docs: https://docs.remnux.org/discover-the-tools/general+utilities + +% ibus + +# Show help for ibus +ibus --help diff --git a/data/generated/cheatsheets/ilspy.cheat b/data/generated/cheatsheets/ilspy.cheat new file mode 100644 index 0000000..9844440 --- /dev/null +++ b/data/generated/cheatsheets/ilspy.cheat @@ -0,0 +1,9 @@ +# ILSpy +# .NET assembly decompiler — view C#/VB.NET source from compiled .NET binaries +# FOR610 Labs: 3.12, 4.8 | Sections: 3, 4 +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net + +% dotnet, decompiler, csharp + +# Basic usage +ILSpy.exe assembly.exe diff --git a/data/generated/cheatsheets/ilspycmd.cheat b/data/generated/cheatsheets/ilspycmd.cheat new file mode 100644 index 0000000..8d43822 --- /dev/null +++ b/data/generated/cheatsheets/ilspycmd.cheat @@ -0,0 +1,20 @@ +# ilspycmd +# Command-line .NET decompiler (CLI version of ILSpy) +# FOR610 Labs: 4.8 | Sections: 4 + +% dotnet, decompiler, cli + +# Basic usage +ilspycmd assembly.exe > decompiled.cs + + +# --- Recipes (multi-tool chains) --- + +# >> Decompile .NET on Command Line +# Decompile to C# source +ilspycmd > source.cs +# Search for suspicious patterns +grep -n 'Assembly.Load\|WebClient\|Process.Start' source.cs +# If obfuscated, deobfuscate first +de4dot +ilspycmd > source_clean.cs diff --git a/data/generated/cheatsheets/imagemagick.cheat b/data/generated/cheatsheets/imagemagick.cheat new file mode 100644 index 0000000..2dd1f28 --- /dev/null +++ b/data/generated/cheatsheets/imagemagick.cheat @@ -0,0 +1,9 @@ +# imagemagick +# View and manipulate image and related files. +# Category: View or Edit Files +# Docs: https://docs.remnux.org/discover-the-tools/view+or+edit+files + +% imagemagick + +# Show help for imagemagick +imagemagick --help diff --git a/data/generated/cheatsheets/inetsim.cheat b/data/generated/cheatsheets/inetsim.cheat new file mode 100644 index 0000000..86fa212 --- /dev/null +++ b/data/generated/cheatsheets/inetsim.cheat @@ -0,0 +1,23 @@ +# INetSim +# Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for malware analysis in isolated labs +# FOR610 Labs: 1.7 | Sections: 1 +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + +% service-emulation, network-simulation, lab-setup + +# Basic usage +inetsim + + +# --- Recipes (multi-tool chains) --- + +# >> Set Up DNS + HTTP Interception +# Option A: Simple DNS + HTTP +fakedns & +httpd & +# Option B: Full service emulation (HTTP, HTTPS, DNS, FTP, SMTP) +inetsim +# Verify DNS is working +nslookup anything.com +# Redirect hardcoded IPs too +iptables -t nat -A PREROUTING -i eth0 -j REDIRECT diff --git a/data/generated/cheatsheets/inspircd.cheat b/data/generated/cheatsheets/inspircd.cheat new file mode 100644 index 0000000..00e0f47 --- /dev/null +++ b/data/generated/cheatsheets/inspircd.cheat @@ -0,0 +1,9 @@ +# inspircd +# Examine IRC activity with this IRC server. +# Category: Explore Network Interactions > Services +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + +% inspircd + +# Show help for inspircd +inspircd --help diff --git a/data/generated/cheatsheets/ioc-parser.cheat b/data/generated/cheatsheets/ioc-parser.cheat new file mode 100644 index 0000000..562ec3e --- /dev/null +++ b/data/generated/cheatsheets/ioc-parser.cheat @@ -0,0 +1,8 @@ +# ioc-parser +# Extract indicators of compromise (IOCs) from PDF reports and text files +# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + +% ioc, extraction, threat-intel + +# Basic usage +ioc_parser diff --git a/data/generated/cheatsheets/iproute2.cheat b/data/generated/cheatsheets/iproute2.cheat new file mode 100644 index 0000000..5fe538e --- /dev/null +++ b/data/generated/cheatsheets/iproute2.cheat @@ -0,0 +1,7 @@ +# iproute2 +# Installed via: apt (iproute2) + +% iproute2 + +# Show help for iproute2 +iproute2 --help diff --git a/data/generated/cheatsheets/iptables.cheat b/data/generated/cheatsheets/iptables.cheat new file mode 100644 index 0000000..d76403a --- /dev/null +++ b/data/generated/cheatsheets/iptables.cheat @@ -0,0 +1,8 @@ +# iptables +# Linux firewall and NAT tool for redirecting IP-based malware traffic +# FOR610 Labs: 1.8 | Sections: 1 + +% firewall, nat, traffic-redirection + +# Basic usage +iptables -t nat -A PREROUTING -i ens32 -j REDIRECT diff --git a/data/generated/cheatsheets/iputils-ping.cheat b/data/generated/cheatsheets/iputils-ping.cheat new file mode 100644 index 0000000..6dc61de --- /dev/null +++ b/data/generated/cheatsheets/iputils-ping.cheat @@ -0,0 +1,7 @@ +# iputils-ping +# Installed via: apt (iputils-ping) + +% iputils-ping + +# Show help for iputils-ping +iputils-ping --help diff --git a/data/generated/cheatsheets/ipwhois.cheat b/data/generated/cheatsheets/ipwhois.cheat new file mode 100644 index 0000000..e121c77 --- /dev/null +++ b/data/generated/cheatsheets/ipwhois.cheat @@ -0,0 +1,9 @@ +# ipwhois +# Retrieve and parse whois data for IP addresses. +# Category: Gather and Analyze Data +# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + +% ipwhois + +# Show help for ipwhois +ipwhois --help diff --git a/data/generated/cheatsheets/ipython3.cheat b/data/generated/cheatsheets/ipython3.cheat new file mode 100644 index 0000000..f78a7f3 --- /dev/null +++ b/data/generated/cheatsheets/ipython3.cheat @@ -0,0 +1,7 @@ +# ipython3 +# Installed via: apt (remnux-packages-ipython3) + +% ipython3 + +# Show help for ipython3 +ipython3 --help diff --git a/data/generated/cheatsheets/jadx.cheat b/data/generated/cheatsheets/jadx.cheat new file mode 100644 index 0000000..cfc5520 --- /dev/null +++ b/data/generated/cheatsheets/jadx.cheat @@ -0,0 +1,24 @@ +# jadx +# Decompile Android DEX/APK to Java source code with a GUI or command line +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + +% android, dex, java, decompilation + +# Basic usage +jadx -d output/ + +# Save output to file +jadx-gui + + +# --- Recipes (multi-tool chains) --- + +# >> Quick APK Triage +# Check for packers/obfuscators +apkid +# Decompile to smali + resources +apktool d -o output/ +# Check permissions +grep 'uses-permission' output/AndroidManifest.xml +# Decompile to Java source +jadx -d src/ diff --git a/data/generated/cheatsheets/java-idx-parser.cheat b/data/generated/cheatsheets/java-idx-parser.cheat new file mode 100644 index 0000000..8d6e424 --- /dev/null +++ b/data/generated/cheatsheets/java-idx-parser.cheat @@ -0,0 +1,9 @@ +# java-idx-parser +# Analyze Java IDX files. +# Category: Statically Analyze Code > Java +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/java + +% java-idx-parser + +# Show help for java-idx-parser +java-idx-parser --help diff --git a/data/generated/cheatsheets/javassist.cheat b/data/generated/cheatsheets/javassist.cheat new file mode 100644 index 0000000..e8f2695 --- /dev/null +++ b/data/generated/cheatsheets/javassist.cheat @@ -0,0 +1,9 @@ +# Javassist +# Java bytecode engineering toolkit/library. +# Category: Statically Analyze Code > Java +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/java + +% javassist + +# Show help for Javassist +Javassist --help diff --git a/data/generated/cheatsheets/jd-gui-java-decompiler.cheat b/data/generated/cheatsheets/jd-gui-java-decompiler.cheat new file mode 100644 index 0000000..2b35504 --- /dev/null +++ b/data/generated/cheatsheets/jd-gui-java-decompiler.cheat @@ -0,0 +1,9 @@ +# JD-GUI Java Decompiler +# Java decompiler with GUI. +# Category: Statically Analyze Code > Java +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/java + +% jd-gui-java-decompiler + +# Show help for JD-GUI Java Decompiler +JD-GUI Java Decompiler --help diff --git a/data/generated/cheatsheets/jd-gui.cheat b/data/generated/cheatsheets/jd-gui.cheat new file mode 100644 index 0000000..3d8e315 --- /dev/null +++ b/data/generated/cheatsheets/jd-gui.cheat @@ -0,0 +1,7 @@ +# jd-gui +# Visual Java decompiler with GUI — browse and search decompiled JAR/class files + +% java, decompilation, gui + +# Basic usage +jd-gui diff --git a/data/generated/cheatsheets/jq.cheat b/data/generated/cheatsheets/jq.cheat new file mode 100644 index 0000000..db5f4a5 --- /dev/null +++ b/data/generated/cheatsheets/jq.cheat @@ -0,0 +1,22 @@ +# jq +# Command-line JSON processor for extracting and transforming structured data +# FOR610 Labs: 1.4 | Sections: 1 + +% json, data-processing + +# Basic usage +cat report.json | jq '.apis' + +# Recursive/follow references +jq -r '.entry' report.json + + +# --- Recipes (multi-tool chains) --- + +# >> Emulate Malware and Extract API Calls +# Emulate and capture both JSON report and text log +speakeasy -t -o report.json 2> report.txt +# Extract all API names called +jq '.entry_points[].apis[].api_name' report.json +# Extract unique API names +jq -r '.entry_points[].apis[].api_name' report.json | sort -u diff --git a/data/generated/cheatsheets/js-beautify.cheat b/data/generated/cheatsheets/js-beautify.cheat new file mode 100644 index 0000000..d88d48d --- /dev/null +++ b/data/generated/cheatsheets/js-beautify.cheat @@ -0,0 +1,22 @@ +# js-beautify +# Format and beautify obfuscated JavaScript code for readability +# FOR610 Labs: 3.6, 4.5 | Sections: 3 +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts + +% javascript, formatting, readability + +# Basic usage +js-beautify malicious.js > beautified.js + + +# --- Recipes (multi-tool chains) --- + +# >> Deobfuscate JavaScript with SpiderMonkey +# Beautify compressed JavaScript +js-beautify > readable.js +# Execute with objects.js to simulate browser/WScript APIs +js -f /usr/share/remnux/objects.js -f > decoded.js +# If script expects location.href, edit objects.js first: +cp /usr/share/remnux/objects.js . +# Edit objects.js to set: location = { href: 'http://expected-url' } +js -f objects.js -f > decoded.js diff --git a/data/generated/cheatsheets/jstillery.cheat b/data/generated/cheatsheets/jstillery.cheat new file mode 100644 index 0000000..df5ca02 --- /dev/null +++ b/data/generated/cheatsheets/jstillery.cheat @@ -0,0 +1,9 @@ +# jstillery +# Deobfuscate JavaScript scripts using AST and Partial Evaluation techniques. +# Category: Dynamically Reverse-Engineer Code > Scripts +# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + +% jstillery + +# Show help for jstillery +jstillery --help diff --git a/data/generated/cheatsheets/lame.cheat b/data/generated/cheatsheets/lame.cheat new file mode 100644 index 0000000..c5c0554 --- /dev/null +++ b/data/generated/cheatsheets/lame.cheat @@ -0,0 +1,7 @@ +# lame +# Installed via: apt (lame) + +% lame + +# Show help for lame +lame --help diff --git a/data/generated/cheatsheets/libboost-dev.cheat b/data/generated/cheatsheets/libboost-dev.cheat new file mode 100644 index 0000000..11c4b12 --- /dev/null +++ b/data/generated/cheatsheets/libboost-dev.cheat @@ -0,0 +1,7 @@ +# libboost-dev +# Installed via: apt (libboost-dev) + +% libboost-dev + +# Show help for libboost-dev +libboost-dev --help diff --git a/data/generated/cheatsheets/libboost-python-dev.cheat b/data/generated/cheatsheets/libboost-python-dev.cheat new file mode 100644 index 0000000..2cc5a91 --- /dev/null +++ b/data/generated/cheatsheets/libboost-python-dev.cheat @@ -0,0 +1,7 @@ +# libboost-python-dev +# Installed via: apt (libboost-python-dev) + +% libboost-python-dev + +# Show help for libboost-python-dev +libboost-python-dev --help diff --git a/data/generated/cheatsheets/libboost-system-dev.cheat b/data/generated/cheatsheets/libboost-system-dev.cheat new file mode 100644 index 0000000..71223e2 --- /dev/null +++ b/data/generated/cheatsheets/libboost-system-dev.cheat @@ -0,0 +1,7 @@ +# libboost-system-dev +# Installed via: apt (libboost-system-dev) + +% libboost-system-dev + +# Show help for libboost-system-dev +libboost-system-dev --help diff --git a/data/generated/cheatsheets/libdpkg-perl.cheat b/data/generated/cheatsheets/libdpkg-perl.cheat new file mode 100644 index 0000000..b2d53d0 --- /dev/null +++ b/data/generated/cheatsheets/libdpkg-perl.cheat @@ -0,0 +1,7 @@ +# libdpkg-perl +# Installed via: apt (libdpkg-perl) + +% libdpkg-perl + +# Show help for libdpkg-perl +libdpkg-perl --help diff --git a/data/generated/cheatsheets/libemail-outlook-message-perl.cheat b/data/generated/cheatsheets/libemail-outlook-message-perl.cheat new file mode 100644 index 0000000..97e8a44 --- /dev/null +++ b/data/generated/cheatsheets/libemail-outlook-message-perl.cheat @@ -0,0 +1,7 @@ +# libemail-outlook-message-perl +# Installed via: apt (libemail-outlook-message-perl) + +% libemail-outlook-message-perl + +# Show help for libemail-outlook-message-perl +libemail-outlook-message-perl --help diff --git a/data/generated/cheatsheets/libemu.cheat b/data/generated/cheatsheets/libemu.cheat new file mode 100644 index 0000000..eaa1ca1 --- /dev/null +++ b/data/generated/cheatsheets/libemu.cheat @@ -0,0 +1,9 @@ +# libemu +# A library for x86 code emulation and shellcode detection. +# Category: Dynamically Reverse-Engineer Code > Shellcode +# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode + +% libemu + +# Show help for libemu +libemu --help diff --git a/data/generated/cheatsheets/libffi-dev.cheat b/data/generated/cheatsheets/libffi-dev.cheat new file mode 100644 index 0000000..9d3de3c --- /dev/null +++ b/data/generated/cheatsheets/libffi-dev.cheat @@ -0,0 +1,7 @@ +# libffi-dev +# Installed via: apt (libffi-dev) + +% libffi-dev + +# Show help for libffi-dev +libffi-dev --help diff --git a/data/generated/cheatsheets/libfuse2.cheat b/data/generated/cheatsheets/libfuse2.cheat new file mode 100644 index 0000000..0d816c0 --- /dev/null +++ b/data/generated/cheatsheets/libfuse2.cheat @@ -0,0 +1,7 @@ +# libfuse2 +# Installed via: apt (remnux-packages-libfuse2) + +% libfuse2 + +# Show help for libfuse2 +libfuse2 --help diff --git a/data/generated/cheatsheets/libfuzzy-dev.cheat b/data/generated/cheatsheets/libfuzzy-dev.cheat new file mode 100644 index 0000000..a4e1e45 --- /dev/null +++ b/data/generated/cheatsheets/libfuzzy-dev.cheat @@ -0,0 +1,7 @@ +# libfuzzy-dev +# Installed via: apt (libfuzzy-dev) + +% libfuzzy-dev + +# Show help for libfuzzy-dev +libfuzzy-dev --help diff --git a/data/generated/cheatsheets/libfuzzy2.cheat b/data/generated/cheatsheets/libfuzzy2.cheat new file mode 100644 index 0000000..88b49f7 --- /dev/null +++ b/data/generated/cheatsheets/libfuzzy2.cheat @@ -0,0 +1,7 @@ +# libfuzzy2 +# Installed via: apt (libfuzzy2) + +% libfuzzy2 + +# Show help for libfuzzy2 +libfuzzy2 --help diff --git a/data/generated/cheatsheets/libglib2.cheat b/data/generated/cheatsheets/libglib2.cheat new file mode 100644 index 0000000..e4118bc --- /dev/null +++ b/data/generated/cheatsheets/libglib2.cheat @@ -0,0 +1,7 @@ +# libglib2 +# Installed via: apt (remnux-packages-libglib2) + +% libglib2 + +# Show help for libglib2 +libglib2 --help diff --git a/data/generated/cheatsheets/libglu1-mesa-dev.cheat b/data/generated/cheatsheets/libglu1-mesa-dev.cheat new file mode 100644 index 0000000..405541e --- /dev/null +++ b/data/generated/cheatsheets/libglu1-mesa-dev.cheat @@ -0,0 +1,7 @@ +# libglu1-mesa-dev +# Installed via: apt (libglu1-mesa-dev) + +% libglu1-mesa-dev + +# Show help for libglu1-mesa-dev +libglu1-mesa-dev --help diff --git a/data/generated/cheatsheets/libgraphviz-dev.cheat b/data/generated/cheatsheets/libgraphviz-dev.cheat new file mode 100644 index 0000000..4053941 --- /dev/null +++ b/data/generated/cheatsheets/libgraphviz-dev.cheat @@ -0,0 +1,7 @@ +# libgraphviz-dev +# Installed via: apt (libgraphviz-dev) + +% libgraphviz-dev + +# Show help for libgraphviz-dev +libgraphviz-dev --help diff --git a/data/generated/cheatsheets/libgtk-3-0.cheat b/data/generated/cheatsheets/libgtk-3-0.cheat new file mode 100644 index 0000000..f8e9229 --- /dev/null +++ b/data/generated/cheatsheets/libgtk-3-0.cheat @@ -0,0 +1,7 @@ +# libgtk-3-0 +# Installed via: apt (remnux-packages-libgtk-3-0) + +% libgtk-3-0 + +# Show help for libgtk-3-0 +libgtk-3-0 --help diff --git a/data/generated/cheatsheets/libjavassist-java.cheat b/data/generated/cheatsheets/libjavassist-java.cheat new file mode 100644 index 0000000..1b5c976 --- /dev/null +++ b/data/generated/cheatsheets/libjavassist-java.cheat @@ -0,0 +1,7 @@ +# libjavassist-java +# Installed via: apt (libjavassist-java) + +% libjavassist-java + +# Show help for libjavassist-java +libjavassist-java --help diff --git a/data/generated/cheatsheets/libjpeg-dev.cheat b/data/generated/cheatsheets/libjpeg-dev.cheat new file mode 100644 index 0000000..0fb9dfc --- /dev/null +++ b/data/generated/cheatsheets/libjpeg-dev.cheat @@ -0,0 +1,7 @@ +# libjpeg-dev +# Installed via: apt (libjpeg-dev) + +% libjpeg-dev + +# Show help for libjpeg-dev +libjpeg-dev --help diff --git a/data/generated/cheatsheets/libjpeg8-dev.cheat b/data/generated/cheatsheets/libjpeg8-dev.cheat new file mode 100644 index 0000000..84aa74c --- /dev/null +++ b/data/generated/cheatsheets/libjpeg8-dev.cheat @@ -0,0 +1,7 @@ +# libjpeg8-dev +# Installed via: apt (libjpeg8-dev) + +% libjpeg8-dev + +# Show help for libjpeg8-dev +libjpeg8-dev --help diff --git a/data/generated/cheatsheets/liblzma-dev.cheat b/data/generated/cheatsheets/liblzma-dev.cheat new file mode 100644 index 0000000..f2c1399 --- /dev/null +++ b/data/generated/cheatsheets/liblzma-dev.cheat @@ -0,0 +1,7 @@ +# liblzma-dev +# Installed via: apt (liblzma-dev) + +% liblzma-dev + +# Show help for liblzma-dev +liblzma-dev --help diff --git a/data/generated/cheatsheets/liblzo2-dev.cheat b/data/generated/cheatsheets/liblzo2-dev.cheat new file mode 100644 index 0000000..6778b6c --- /dev/null +++ b/data/generated/cheatsheets/liblzo2-dev.cheat @@ -0,0 +1,7 @@ +# liblzo2-dev +# Installed via: apt (liblzo2-dev) + +% liblzo2-dev + +# Show help for liblzo2-dev +liblzo2-dev --help diff --git a/data/generated/cheatsheets/libmagic-dev.cheat b/data/generated/cheatsheets/libmagic-dev.cheat new file mode 100644 index 0000000..6d26df8 --- /dev/null +++ b/data/generated/cheatsheets/libmagic-dev.cheat @@ -0,0 +1,7 @@ +# libmagic-dev +# Installed via: apt (libmagic-dev) + +% libmagic-dev + +# Show help for libmagic-dev +libmagic-dev --help diff --git a/data/generated/cheatsheets/libmysqlclient21.cheat b/data/generated/cheatsheets/libmysqlclient21.cheat new file mode 100644 index 0000000..82530ff --- /dev/null +++ b/data/generated/cheatsheets/libmysqlclient21.cheat @@ -0,0 +1,7 @@ +# libmysqlclient21 +# Installed via: apt (libmysqlclient21) + +% libmysqlclient21 + +# Show help for libmysqlclient21 +libmysqlclient21 --help diff --git a/data/generated/cheatsheets/libncurses.cheat b/data/generated/cheatsheets/libncurses.cheat new file mode 100644 index 0000000..a55ebe9 --- /dev/null +++ b/data/generated/cheatsheets/libncurses.cheat @@ -0,0 +1,7 @@ +# libncurses +# Installed via: apt (libncurses) + +% libncurses + +# Show help for libncurses +libncurses --help diff --git a/data/generated/cheatsheets/libnetfilter-queue-dev.cheat b/data/generated/cheatsheets/libnetfilter-queue-dev.cheat new file mode 100644 index 0000000..7bb3871 --- /dev/null +++ b/data/generated/cheatsheets/libnetfilter-queue-dev.cheat @@ -0,0 +1,7 @@ +# libnetfilter-queue-dev +# Installed via: apt (libnetfilter-queue-dev) + +% libnetfilter-queue-dev + +# Show help for libnetfilter-queue-dev +libnetfilter-queue-dev --help diff --git a/data/generated/cheatsheets/libnfnetlink-dev.cheat b/data/generated/cheatsheets/libnfnetlink-dev.cheat new file mode 100644 index 0000000..68f3e61 --- /dev/null +++ b/data/generated/cheatsheets/libnfnetlink-dev.cheat @@ -0,0 +1,7 @@ +# libnfnetlink-dev +# Installed via: apt (libnfnetlink-dev) + +% libnfnetlink-dev + +# Show help for libnfnetlink-dev +libnfnetlink-dev --help diff --git a/data/generated/cheatsheets/libolecf.cheat b/data/generated/cheatsheets/libolecf.cheat new file mode 100644 index 0000000..d132b52 --- /dev/null +++ b/data/generated/cheatsheets/libolecf.cheat @@ -0,0 +1,9 @@ +# libolecf +# Microsoft Office OLE2 compound documents. +# Category: Analyze Documents > Microsoft Office +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + +% libolecf + +# Show help for libolecf +libolecf --help diff --git a/data/generated/cheatsheets/libpq5.cheat b/data/generated/cheatsheets/libpq5.cheat new file mode 100644 index 0000000..1480449 --- /dev/null +++ b/data/generated/cheatsheets/libpq5.cheat @@ -0,0 +1,7 @@ +# libpq5 +# Installed via: apt (libpq5) + +% libpq5 + +# Show help for libpq5 +libpq5 --help diff --git a/data/generated/cheatsheets/libqt5scripttools5.cheat b/data/generated/cheatsheets/libqt5scripttools5.cheat new file mode 100644 index 0000000..d50bec6 --- /dev/null +++ b/data/generated/cheatsheets/libqt5scripttools5.cheat @@ -0,0 +1,7 @@ +# libqt5scripttools5 +# Installed via: apt (remnux-package-libqt5scripttools5) + +% libqt5scripttools5 + +# Show help for libqt5scripttools5 +libqt5scripttools5 --help diff --git a/data/generated/cheatsheets/libre2.cheat b/data/generated/cheatsheets/libre2.cheat new file mode 100644 index 0000000..cbd7d0d --- /dev/null +++ b/data/generated/cheatsheets/libre2.cheat @@ -0,0 +1,7 @@ +# libre2 +# Installed via: apt (remnux-packages-libre2) + +% libre2 + +# Show help for libre2 +libre2 --help diff --git a/data/generated/cheatsheets/libsm6.cheat b/data/generated/cheatsheets/libsm6.cheat new file mode 100644 index 0000000..7d0241b --- /dev/null +++ b/data/generated/cheatsheets/libsm6.cheat @@ -0,0 +1,7 @@ +# libsm6 +# Installed via: apt (remnux-packages-libsm6) + +% libsm6 + +# Show help for libsm6 +libsm6 --help diff --git a/data/generated/cheatsheets/libsqlite3-dev.cheat b/data/generated/cheatsheets/libsqlite3-dev.cheat new file mode 100644 index 0000000..796543c --- /dev/null +++ b/data/generated/cheatsheets/libsqlite3-dev.cheat @@ -0,0 +1,7 @@ +# libsqlite3-dev +# Installed via: apt (libsqlite3-dev) + +% libsqlite3-dev + +# Show help for libsqlite3-dev +libsqlite3-dev --help diff --git a/data/generated/cheatsheets/libssl-dev.cheat b/data/generated/cheatsheets/libssl-dev.cheat new file mode 100644 index 0000000..3a2747f --- /dev/null +++ b/data/generated/cheatsheets/libssl-dev.cheat @@ -0,0 +1,7 @@ +# libssl-dev +# Installed via: apt (libssl-dev) + +% libssl-dev + +# Show help for libssl-dev +libssl-dev --help diff --git a/data/generated/cheatsheets/libtool.cheat b/data/generated/cheatsheets/libtool.cheat new file mode 100644 index 0000000..8e38289 --- /dev/null +++ b/data/generated/cheatsheets/libtool.cheat @@ -0,0 +1,7 @@ +# libtool +# Installed via: apt (libtool) + +% libtool + +# Show help for libtool +libtool --help diff --git a/data/generated/cheatsheets/libtre5.cheat b/data/generated/cheatsheets/libtre5.cheat new file mode 100644 index 0000000..f613d88 --- /dev/null +++ b/data/generated/cheatsheets/libtre5.cheat @@ -0,0 +1,7 @@ +# libtre5 +# Installed via: apt (libtre5) + +% libtre5 + +# Show help for libtre5 +libtre5 --help diff --git a/data/generated/cheatsheets/libusb-1.cheat b/data/generated/cheatsheets/libusb-1.cheat new file mode 100644 index 0000000..1f21b23 --- /dev/null +++ b/data/generated/cheatsheets/libusb-1.cheat @@ -0,0 +1,7 @@ +# libusb-1 +# Installed via: apt (libusb-1.0-0) + +% libusb-1 + +# Show help for libusb-1 +libusb-1 --help diff --git a/data/generated/cheatsheets/libxml2-dev.cheat b/data/generated/cheatsheets/libxml2-dev.cheat new file mode 100644 index 0000000..30f48dc --- /dev/null +++ b/data/generated/cheatsheets/libxml2-dev.cheat @@ -0,0 +1,7 @@ +# libxml2-dev +# Installed via: apt (libxml2-dev) + +% libxml2-dev + +# Show help for libxml2-dev +libxml2-dev --help diff --git a/data/generated/cheatsheets/libxslt1-dev.cheat b/data/generated/cheatsheets/libxslt1-dev.cheat new file mode 100644 index 0000000..7c6694c --- /dev/null +++ b/data/generated/cheatsheets/libxslt1-dev.cheat @@ -0,0 +1,7 @@ +# libxslt1-dev +# Installed via: apt (libxslt1-dev) + +% libxslt1-dev + +# Show help for libxslt1-dev +libxslt1-dev --help diff --git a/data/generated/cheatsheets/lief.cheat b/data/generated/cheatsheets/lief.cheat new file mode 100644 index 0000000..728945a --- /dev/null +++ b/data/generated/cheatsheets/lief.cheat @@ -0,0 +1,9 @@ +# lief +# Parse and analyze PE, ELF, MachO, DEX, OAT, VDEX, ART, and DWARF executable formats. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% lief + +# Show help for lief +lief --help diff --git a/data/generated/cheatsheets/linux-headers.cheat b/data/generated/cheatsheets/linux-headers.cheat new file mode 100644 index 0000000..0e01f82 --- /dev/null +++ b/data/generated/cheatsheets/linux-headers.cheat @@ -0,0 +1,7 @@ +# linux-headers +# Installed via: apt (linux-headers-generic) + +% linux-headers + +# Show help for linux-headers +linux-headers --help diff --git a/data/generated/cheatsheets/ltrace.cheat b/data/generated/cheatsheets/ltrace.cheat new file mode 100644 index 0000000..a3edd5b --- /dev/null +++ b/data/generated/cheatsheets/ltrace.cheat @@ -0,0 +1,7 @@ +# ltrace +# Installed via: apt (ltrace) + +% ltrace + +# Show help for ltrace +ltrace --help diff --git a/data/generated/cheatsheets/magika.cheat b/data/generated/cheatsheets/magika.cheat new file mode 100644 index 0000000..2eb3299 --- /dev/null +++ b/data/generated/cheatsheets/magika.cheat @@ -0,0 +1,9 @@ +# magika +# Identify file type using signatures. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% magika + +# Show help for magika +magika --help diff --git a/data/generated/cheatsheets/mail-parser.cheat b/data/generated/cheatsheets/mail-parser.cheat new file mode 100644 index 0000000..bc86b43 --- /dev/null +++ b/data/generated/cheatsheets/mail-parser.cheat @@ -0,0 +1,8 @@ +# mail-parser +# Parse raw SMTP email messages and extract headers, body, and attachments +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages + +% email, parsing, attachments + +# Basic usage +python3 -c "import mailparser; mail = mailparser.parse_from_file(''); print(mail.subject)" diff --git a/data/generated/cheatsheets/malcat-lite.cheat b/data/generated/cheatsheets/malcat-lite.cheat new file mode 100644 index 0000000..9ab48b2 --- /dev/null +++ b/data/generated/cheatsheets/malcat-lite.cheat @@ -0,0 +1,9 @@ +# Malcat Lite +# Analyze binary files using a hex editor, disassembler, and file dissector. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% malcat-lite + +# Show help for Malcat Lite +Malcat Lite --help diff --git a/data/generated/cheatsheets/malcat.cheat b/data/generated/cheatsheets/malcat.cheat new file mode 100644 index 0000000..6989e36 --- /dev/null +++ b/data/generated/cheatsheets/malcat.cheat @@ -0,0 +1,7 @@ +# malcat +# Installed via: manual (remnux-tools-malcat-pip-deps) + +% malcat + +# Show help for malcat +malcat --help diff --git a/data/generated/cheatsheets/malchive.cheat b/data/generated/cheatsheets/malchive.cheat new file mode 100644 index 0000000..044a3ba --- /dev/null +++ b/data/generated/cheatsheets/malchive.cheat @@ -0,0 +1,8 @@ +# Malchive +# Multi-purpose malware analysis library — config extraction, deobfuscation, and static analysis +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% malware, config-extraction, deobfuscation + +# Basic usage +malchive diff --git a/data/generated/cheatsheets/malwoverview.cheat b/data/generated/cheatsheets/malwoverview.cheat new file mode 100644 index 0000000..b6c422a --- /dev/null +++ b/data/generated/cheatsheets/malwoverview.cheat @@ -0,0 +1,11 @@ +# malwoverview +# Query VirusTotal, Hybrid Analysis, and MalwareBazaar for malware intelligence +# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + +% threat-intel, virustotal, malware-bazaar + +# Basic usage +malwoverview -v + +# Process input file +malwoverview -f diff --git a/data/generated/cheatsheets/manalyze.cheat b/data/generated/cheatsheets/manalyze.cheat new file mode 100644 index 0000000..9dd7349 --- /dev/null +++ b/data/generated/cheatsheets/manalyze.cheat @@ -0,0 +1,7 @@ +# manalyze +# Installed via: apt (manalyze) + +% manalyze + +# Show help for manalyze +manalyze --help diff --git a/data/generated/cheatsheets/mbcscan.cheat b/data/generated/cheatsheets/mbcscan.cheat new file mode 100644 index 0000000..7e228ea --- /dev/null +++ b/data/generated/cheatsheets/mbcscan.cheat @@ -0,0 +1,9 @@ +# mbcscan +# Scan a PE file to list the associated Malware Behavior Catalog (MBC) details. +# Category: Statically Analyze Code > PE Files +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files + +% mbcscan + +# Show help for mbcscan +mbcscan --help diff --git a/data/generated/cheatsheets/mercurial.cheat b/data/generated/cheatsheets/mercurial.cheat new file mode 100644 index 0000000..0c9ec8e --- /dev/null +++ b/data/generated/cheatsheets/mercurial.cheat @@ -0,0 +1,7 @@ +# mercurial +# Installed via: apt (mercurial) + +% mercurial + +# Show help for mercurial +mercurial --help diff --git a/data/generated/cheatsheets/microsoft-vscode.cheat b/data/generated/cheatsheets/microsoft-vscode.cheat new file mode 100644 index 0000000..dc4562e --- /dev/null +++ b/data/generated/cheatsheets/microsoft-vscode.cheat @@ -0,0 +1,7 @@ +# microsoft-vscode +# Installed via: unknown (microsoft-vscode) + +% microsoft-vscode + +# Show help for microsoft-vscode +microsoft-vscode --help diff --git a/data/generated/cheatsheets/microsoft.cheat b/data/generated/cheatsheets/microsoft.cheat new file mode 100644 index 0000000..44a295e --- /dev/null +++ b/data/generated/cheatsheets/microsoft.cheat @@ -0,0 +1,7 @@ +# microsoft +# Installed via: unknown (deb) + +% microsoft + +# Show help for microsoft +microsoft --help diff --git a/data/generated/cheatsheets/mitmproxy.cheat b/data/generated/cheatsheets/mitmproxy.cheat new file mode 100644 index 0000000..a5a1db3 --- /dev/null +++ b/data/generated/cheatsheets/mitmproxy.cheat @@ -0,0 +1,14 @@ +# mitmproxy +# Interactive HTTPS proxy for intercepting, inspecting, and modifying encrypted web traffic +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + +% network, https, proxy, tls, interception + +# Basic usage +mitmproxy + +# Alternative usage +mitmdump -w capture.flow + +# Alternative usage +mitmproxy --mode transparent diff --git a/data/generated/cheatsheets/mono-devel.cheat b/data/generated/cheatsheets/mono-devel.cheat new file mode 100644 index 0000000..17be280 --- /dev/null +++ b/data/generated/cheatsheets/mono-devel.cheat @@ -0,0 +1,7 @@ +# mono-devel +# Installed via: apt (mono-devel) + +% mono-devel + +# Show help for mono-devel +mono-devel --help diff --git a/data/generated/cheatsheets/mono-utils.cheat b/data/generated/cheatsheets/mono-utils.cheat new file mode 100644 index 0000000..0913312 --- /dev/null +++ b/data/generated/cheatsheets/mono-utils.cheat @@ -0,0 +1,7 @@ +# mono-utils +# Installed via: apt (mono-utils) + +% mono-utils + +# Show help for mono-utils +mono-utils --help diff --git a/data/generated/cheatsheets/mono.cheat b/data/generated/cheatsheets/mono.cheat new file mode 100644 index 0000000..68aeee6 --- /dev/null +++ b/data/generated/cheatsheets/mono.cheat @@ -0,0 +1,7 @@ +# mono +# Installed via: unknown (mono) + +% mono + +# Show help for mono +mono --help diff --git a/data/generated/cheatsheets/monodis.cheat b/data/generated/cheatsheets/monodis.cheat new file mode 100644 index 0000000..5d21875 --- /dev/null +++ b/data/generated/cheatsheets/monodis.cheat @@ -0,0 +1,9 @@ +# monodis +# Disassemble and extract resources from. +# Category: Examine Static Properties > .NET +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/.net + +% monodis + +# Show help for monodis +monodis --help diff --git a/data/generated/cheatsheets/msg-extractor.cheat b/data/generated/cheatsheets/msg-extractor.cheat new file mode 100644 index 0000000..a77edae --- /dev/null +++ b/data/generated/cheatsheets/msg-extractor.cheat @@ -0,0 +1,11 @@ +# msg-extractor +# Extract emails and attachments from Microsoft Outlook MSG files +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages + +% email, msg, outlook, attachments + +# Basic usage +extract_msg + +# Save output to file +extract_msg --out-dir output/ diff --git a/data/generated/cheatsheets/msgconvert.cheat b/data/generated/cheatsheets/msgconvert.cheat new file mode 100644 index 0000000..c230495 --- /dev/null +++ b/data/generated/cheatsheets/msgconvert.cheat @@ -0,0 +1,9 @@ +# msgconvert +# Convert MSG files to MBOX files. +# Category: Analyze Documents > Email Messages +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages + +% msgconvert + +# Show help for msgconvert +msgconvert --help diff --git a/data/generated/cheatsheets/msitools.cheat b/data/generated/cheatsheets/msitools.cheat new file mode 100644 index 0000000..9f0e299 --- /dev/null +++ b/data/generated/cheatsheets/msitools.cheat @@ -0,0 +1,9 @@ +# msitools +# Create, inspect and extract Windows Installer (. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% msitools + +# Show help for msitools +msitools --help diff --git a/data/generated/cheatsheets/msoffcrypto-crack.py.cheat b/data/generated/cheatsheets/msoffcrypto-crack.py.cheat new file mode 100644 index 0000000..977ff8d --- /dev/null +++ b/data/generated/cheatsheets/msoffcrypto-crack.py.cheat @@ -0,0 +1,9 @@ +# msoffcrypto-crack.py +# Recover the password of an encrypted Microsoft Office document. +# Category: Analyze Documents > Microsoft Office +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + +% msoffcrypto-crack.py + +# Show help for msoffcrypto-crack.py +msoffcrypto-crack.py --help diff --git a/data/generated/cheatsheets/msoffcrypto-tool.cheat b/data/generated/cheatsheets/msoffcrypto-tool.cheat new file mode 100644 index 0000000..fbd8612 --- /dev/null +++ b/data/generated/cheatsheets/msoffcrypto-tool.cheat @@ -0,0 +1,18 @@ +# msoffcrypto-tool +# Decrypt password-protected Microsoft Office documents (OLE and OOXML) +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + +% office, decryption, password + +# Basic usage +msoffcrypto-tool -p infected + +# Save output to file +msoffcrypto-tool -p password + + +# --- Recipes (multi-tool chains) --- + +# >> Decrypt Password-Protected Office Document +# Common malware passwords: infected, malware, password, 123456 +msoffcrypto-tool -p infected diff --git a/data/generated/cheatsheets/msoffice-crypt.cheat b/data/generated/cheatsheets/msoffice-crypt.cheat new file mode 100644 index 0000000..b271381 --- /dev/null +++ b/data/generated/cheatsheets/msoffice-crypt.cheat @@ -0,0 +1,9 @@ +# msoffice-crypt +# Encrypt and decrypt OOXML Microsoft Office documents. +# Category: Analyze Documents > Microsoft Office +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + +% msoffice-crypt + +# Show help for msoffice-crypt +msoffice-crypt --help diff --git a/data/generated/cheatsheets/myip.cheat b/data/generated/cheatsheets/myip.cheat new file mode 100644 index 0000000..e81a222 --- /dev/null +++ b/data/generated/cheatsheets/myip.cheat @@ -0,0 +1,9 @@ +# myip +# Determine the IP address of the default network interface. +# Category: General Utilities +# Docs: https://docs.remnux.org/discover-the-tools/general+utilities + +% myip + +# Show help for myip +myip --help diff --git a/data/generated/cheatsheets/myjson-filter.py.cheat b/data/generated/cheatsheets/myjson-filter.py.cheat new file mode 100644 index 0000000..d29fc37 --- /dev/null +++ b/data/generated/cheatsheets/myjson-filter.py.cheat @@ -0,0 +1,9 @@ +# myjson-filter.py +# Filter data formatted using the JSON format used by Didier Stevens' tools. +# Category: General Utilities +# Docs: https://docs.remnux.org/discover-the-tools/general+utilities + +% myjson-filter.py + +# Show help for myjson-filter.py +myjson-filter.py --help diff --git a/data/generated/cheatsheets/mynic.cheat b/data/generated/cheatsheets/mynic.cheat new file mode 100644 index 0000000..d80ad77 --- /dev/null +++ b/data/generated/cheatsheets/mynic.cheat @@ -0,0 +1,7 @@ +# mynic +# Installed via: script (mynic) + +% mynic + +# Show help for mynic +mynic --help diff --git a/data/generated/cheatsheets/name-that-hash.cheat b/data/generated/cheatsheets/name-that-hash.cheat new file mode 100644 index 0000000..61525fc --- /dev/null +++ b/data/generated/cheatsheets/name-that-hash.cheat @@ -0,0 +1,9 @@ +# name-that-hash +# Identify dfferent types of hashes. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% name-that-hash + +# Show help for name-that-hash +name-that-hash --help diff --git a/data/generated/cheatsheets/nano.cheat b/data/generated/cheatsheets/nano.cheat new file mode 100644 index 0000000..db04325 --- /dev/null +++ b/data/generated/cheatsheets/nano.cheat @@ -0,0 +1,7 @@ +# nano +# Installed via: apt (nano) + +% nano + +# Show help for nano +nano --help diff --git a/data/generated/cheatsheets/nasm.cheat b/data/generated/cheatsheets/nasm.cheat new file mode 100644 index 0000000..5a90fe3 --- /dev/null +++ b/data/generated/cheatsheets/nasm.cheat @@ -0,0 +1,9 @@ +# nasm +# An x86-64 assembler. +# Category: General Utilities +# Docs: https://docs.remnux.org/discover-the-tools/general+utilities + +% nasm + +# Show help for nasm +nasm --help diff --git a/data/generated/cheatsheets/nautilus.cheat b/data/generated/cheatsheets/nautilus.cheat new file mode 100644 index 0000000..9ab4f90 --- /dev/null +++ b/data/generated/cheatsheets/nautilus.cheat @@ -0,0 +1,9 @@ +# nautilus +# Graphical file manager. +# Category: General Utilities +# Docs: https://docs.remnux.org/discover-the-tools/general+utilities + +% nautilus + +# Show help for nautilus +nautilus --help diff --git a/data/generated/cheatsheets/nc.cheat b/data/generated/cheatsheets/nc.cheat new file mode 100644 index 0000000..c51e49d --- /dev/null +++ b/data/generated/cheatsheets/nc.cheat @@ -0,0 +1,12 @@ +# nc +# Network utility for reading/writing data across TCP/UDP connections +# Sections: 1 +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + +% network, tcp, listener + +# Basic usage +nc -l -p 3127 + +# Alternative usage +nc target_ip 80 diff --git a/data/generated/cheatsheets/ndg-httpsclient.cheat b/data/generated/cheatsheets/ndg-httpsclient.cheat new file mode 100644 index 0000000..159250f --- /dev/null +++ b/data/generated/cheatsheets/ndg-httpsclient.cheat @@ -0,0 +1,7 @@ +# ndg-httpsclient +# Installed via: pip (remnux-python3-packages-ndg-httpsclient) + +% ndg-httpsclient + +# Show help for ndg-httpsclient +ndg-httpsclient --help diff --git a/data/generated/cheatsheets/net-tools.cheat b/data/generated/cheatsheets/net-tools.cheat new file mode 100644 index 0000000..0e29626 --- /dev/null +++ b/data/generated/cheatsheets/net-tools.cheat @@ -0,0 +1,7 @@ +# net-tools +# Installed via: apt (net-tools) + +% net-tools + +# Show help for net-tools +net-tools --help diff --git a/data/generated/cheatsheets/network-miner-free-edition.cheat b/data/generated/cheatsheets/network-miner-free-edition.cheat new file mode 100644 index 0000000..2f68885 --- /dev/null +++ b/data/generated/cheatsheets/network-miner-free-edition.cheat @@ -0,0 +1,9 @@ +# Network Miner Free Edition +# Examine network traffic and carve PCAP capture files. +# Category: Explore Network Interactions > Monitoring +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + +% network-miner-free-edition + +# Show help for Network Miner Free Edition +Network Miner Free Edition --help diff --git a/data/generated/cheatsheets/networkminer.cheat b/data/generated/cheatsheets/networkminer.cheat new file mode 100644 index 0000000..2d3bfbc --- /dev/null +++ b/data/generated/cheatsheets/networkminer.cheat @@ -0,0 +1,18 @@ +# networkminer +# Passive network traffic analyzer — extracts files, images, credentials from PCAP captures + +% network, pcap, file-carving, passive + +# Basic usage +NetworkMiner --pcap + + +# --- Recipes (multi-tool chains) --- + +# >> Extract Files from Network Capture +# Carve files using signatures +tcpxtract -f -o carved/ +# Extract individual TCP streams +tcpflow -r -o streams/ +# Or use NetworkMiner for automated extraction +NetworkMiner --pcap diff --git a/data/generated/cheatsheets/nginx.cheat b/data/generated/cheatsheets/nginx.cheat new file mode 100644 index 0000000..9e33900 --- /dev/null +++ b/data/generated/cheatsheets/nginx.cheat @@ -0,0 +1,9 @@ +# nginx +# Web server. +# Category: Explore Network Interactions > Services +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + +% nginx + +# Show help for nginx +nginx --help diff --git a/data/generated/cheatsheets/ngrep.cheat b/data/generated/cheatsheets/ngrep.cheat new file mode 100644 index 0000000..dd50607 --- /dev/null +++ b/data/generated/cheatsheets/ngrep.cheat @@ -0,0 +1,11 @@ +# ngrep +# Search network traffic for patterns — like grep for packets +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + +% network, search, pattern-matching + +# Basic usage +ngrep -I 'password' + +# Dump/extract content +ngrep -d eth0 'GET|POST' 'tcp port 80' diff --git a/data/generated/cheatsheets/nodejs.cheat b/data/generated/cheatsheets/nodejs.cheat new file mode 100644 index 0000000..0f68617 --- /dev/null +++ b/data/generated/cheatsheets/nodejs.cheat @@ -0,0 +1,7 @@ +# nodejs +# Installed via: npm (remnux-packages-nodejs) + +% nodejs + +# Show help for nodejs +nodejs --help diff --git a/data/generated/cheatsheets/nomorexor.cheat b/data/generated/cheatsheets/nomorexor.cheat new file mode 100644 index 0000000..77387cf --- /dev/null +++ b/data/generated/cheatsheets/nomorexor.cheat @@ -0,0 +1,9 @@ +# nomorexor +# Help guess a file's 256-byte XOR by using frequency analysis. +# Category: Examine Static Properties > Deobfuscation +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% nomorexor + +# Show help for nomorexor +nomorexor --help diff --git a/data/generated/cheatsheets/nslookup.cheat b/data/generated/cheatsheets/nslookup.cheat new file mode 100644 index 0000000..24c5f98 --- /dev/null +++ b/data/generated/cheatsheets/nslookup.cheat @@ -0,0 +1,8 @@ +# nslookup +# DNS query tool for testing name resolution +# FOR610 Labs: 1.3 | Sections: 1 + +% dns, testing + +# Basic usage +nslookup domain.com diff --git a/data/generated/cheatsheets/nsrllookup.cheat b/data/generated/cheatsheets/nsrllookup.cheat new file mode 100644 index 0000000..489dcdb --- /dev/null +++ b/data/generated/cheatsheets/nsrllookup.cheat @@ -0,0 +1,9 @@ +# nsrllookup +# Look up MD5 file hashes in the NIST National Software Reference Library (NSRL). +# Category: Gather and Analyze Data +# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + +% nsrllookup + +# Show help for nsrllookup +nsrllookup --help diff --git a/data/generated/cheatsheets/numbers-to-string.py.cheat b/data/generated/cheatsheets/numbers-to-string.py.cheat new file mode 100644 index 0000000..6e18ad7 --- /dev/null +++ b/data/generated/cheatsheets/numbers-to-string.py.cheat @@ -0,0 +1,18 @@ +# numbers-to-string.py +# Convert sequences of decimal numbers to readable characters +# FOR610 Labs: 3.3 | Sections: 3 | Author: Didier Stevens +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% decoding, deobfuscation, didier-stevens + +# Basic usage +oledump.py doc.docm -s A3 -v | numbers-to-string.py -j + + +# --- Recipes (multi-tool chains) --- + +# >> Decode VBA Number Arrays to Strings +# Extract VBA and convert number sequences to text +oledump.py -s -v | numbers-to-string.py -j +# Same but with line-break formatting for readability +oledump.py -s -v | numbers-to-string.py -j | sed 's/;/;\n/g' diff --git a/data/generated/cheatsheets/objdump.cheat b/data/generated/cheatsheets/objdump.cheat new file mode 100644 index 0000000..624b602 --- /dev/null +++ b/data/generated/cheatsheets/objdump.cheat @@ -0,0 +1,9 @@ +# objdump +# Disassemble binary files. +# Category: Statically Analyze Code > General +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/general + +% objdump + +# Show help for objdump +objdump --help diff --git a/data/generated/cheatsheets/objects.js.cheat b/data/generated/cheatsheets/objects.js.cheat new file mode 100644 index 0000000..1edd7df --- /dev/null +++ b/data/generated/cheatsheets/objects.js.cheat @@ -0,0 +1,9 @@ +# objects.js +# Emulate common browser and PDF viewer objects, methods, and properties when deobfuscating JavaScript. +# Category: Dynamically Reverse-Engineer Code > Scripts +# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + +% objects.js + +# Show help for objects.js +objects.js --help diff --git a/data/generated/cheatsheets/oledump.py.cheat b/data/generated/cheatsheets/oledump.py.cheat new file mode 100644 index 0000000..0b9ea87 --- /dev/null +++ b/data/generated/cheatsheets/oledump.py.cheat @@ -0,0 +1,47 @@ +# oledump.py +# Analyze OLE2 files (Office documents), extract streams and VBA macros +# FOR610 Labs: 3.3, 3.4, 4.5 | Sections: 3, 4 | Author: Didier Stevens +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + +% office, vba, macro, ole, didier-stevens + +# Basic usage +oledump.py document.docm + +# Select specific item +oledump.py document.docm -s A3 -v + +# Alternative usage +oledump.py document.docm -i + + +# --- Recipes (multi-tool chains) --- + +# >> Extract Base64 PowerShell from Office Macro +# List streams — find macro (M) and data streams +oledump.py +# Extract VBA source to understand what the macro does +oledump.py -s -v +# Scan data stream for Base64 strings +oledump.py -s -d | base64dump.py -n 10 +# Decode the longest Base64 hit to file +oledump.py -s -d | base64dump.py -s 1 -d > payload.ps1 + +# >> Decode VBA Number Arrays to Strings +# Extract VBA and convert number sequences to text +oledump.py -s -v | numbers-to-string.py -j +# Same but with line-break formatting for readability +oledump.py -s -v | numbers-to-string.py -j | sed 's/;/;\n/g' + +# >> Full Office Macro Decode Chain +# Step 1: List streams and extract VBA +oledump.py +oledump.py -s -v +# Step 2: Extract Base64 from data stream +oledump.py -s -d | base64dump.py -s 1 -d > stage1.ps1 +# Step 3: Decode second Base64 layer + decompress +base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1 +# Step 4: XOR decode the shellcode +base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin +# Step 5: Emulate the shellcode +scdbgc /f shellcode.bin /s -1 diff --git a/data/generated/cheatsheets/olefile.cheat b/data/generated/cheatsheets/olefile.cheat new file mode 100644 index 0000000..0f5869e --- /dev/null +++ b/data/generated/cheatsheets/olefile.cheat @@ -0,0 +1,9 @@ +# olefile +# Python package to parse, read and write MS OLE2 files. +# Category: Analyze Documents > Microsoft Office +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + +% olefile + +# Show help for olefile +olefile --help diff --git a/data/generated/cheatsheets/olevba.cheat b/data/generated/cheatsheets/olevba.cheat new file mode 100644 index 0000000..834fe16 --- /dev/null +++ b/data/generated/cheatsheets/olevba.cheat @@ -0,0 +1,12 @@ +# olevba +# Extract and analyze VBA macros from Office documents with deobfuscation +# Sections: 3 +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + +% office, vba, macro, deobfuscation + +# Basic usage +olevba document.docm + +# Alternative usage +olevba --deobf document.docm diff --git a/data/generated/cheatsheets/onedump.py.cheat b/data/generated/cheatsheets/onedump.py.cheat new file mode 100644 index 0000000..c821b6c --- /dev/null +++ b/data/generated/cheatsheets/onedump.py.cheat @@ -0,0 +1,9 @@ +# onedump.py +# Extract and analyze embedded files from OneNote documents. +# Category: Analyze Documents > Microsoft Office +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + +% onedump.py + +# Show help for onedump.py +onedump.py --help diff --git a/data/generated/cheatsheets/opencode.cheat b/data/generated/cheatsheets/opencode.cheat new file mode 100644 index 0000000..0e27b20 --- /dev/null +++ b/data/generated/cheatsheets/opencode.cheat @@ -0,0 +1,9 @@ +# opencode +# Open-source AI coding agent for the terminal. +# Category: Use Artificial Intelligence +# Docs: https://docs.remnux.org/discover-the-tools/use+artificial+intelligence + +% opencode + +# Show help for opencode +opencode --help diff --git a/data/generated/cheatsheets/openjdk.cheat b/data/generated/cheatsheets/openjdk.cheat new file mode 100644 index 0000000..77e3a1e --- /dev/null +++ b/data/generated/cheatsheets/openjdk.cheat @@ -0,0 +1,7 @@ +# openjdk +# Installed via: unknown (openjdk) + +% openjdk + +# Show help for openjdk +openjdk --help diff --git a/data/generated/cheatsheets/openssh.cheat b/data/generated/cheatsheets/openssh.cheat new file mode 100644 index 0000000..68d3326 --- /dev/null +++ b/data/generated/cheatsheets/openssh.cheat @@ -0,0 +1,9 @@ +# openssh +# Initiate and receive SSH and SFTP connections. +# Category: General Utilities +# Docs: https://docs.remnux.org/discover-the-tools/general+utilities + +% openssh + +# Show help for openssh +openssh --help diff --git a/data/generated/cheatsheets/openssl.cheat b/data/generated/cheatsheets/openssl.cheat new file mode 100644 index 0000000..aeb0a47 --- /dev/null +++ b/data/generated/cheatsheets/openssl.cheat @@ -0,0 +1,7 @@ +# openssl +# Installed via: apt (openssl) + +% openssl + +# Show help for openssl +openssl --help diff --git a/data/generated/cheatsheets/origamindee.cheat b/data/generated/cheatsheets/origamindee.cheat new file mode 100644 index 0000000..a1db5ee --- /dev/null +++ b/data/generated/cheatsheets/origamindee.cheat @@ -0,0 +1,9 @@ +# origamindee +# Parse, modify, generate PDF files. +# Category: Analyze Documents > PDF +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + +% origamindee + +# Show help for origamindee +origamindee --help diff --git a/data/generated/cheatsheets/osarch.cheat b/data/generated/cheatsheets/osarch.cheat new file mode 100644 index 0000000..d8f6165 --- /dev/null +++ b/data/generated/cheatsheets/osarch.cheat @@ -0,0 +1,7 @@ +# osarch +# Installed via: unknown (osarch) + +% osarch + +# Show help for osarch +osarch --help diff --git a/data/generated/cheatsheets/pcode2code.cheat b/data/generated/cheatsheets/pcode2code.cheat new file mode 100644 index 0000000..22b5934 --- /dev/null +++ b/data/generated/cheatsheets/pcode2code.cheat @@ -0,0 +1,17 @@ +# pcode2code +# Decompile VBA p-code from Office documents — works even when VBA source is removed +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + +% office, vba, p-code, decompilation + +# Basic usage +pcode2code + + +# --- Recipes (multi-tool chains) --- + +# >> Recover VBA from p-code (source removed) +# Decompile p-code back to VBA source +pcode2code +# Or disassemble p-code to assembly +pcodedmp diff --git a/data/generated/cheatsheets/pcodedmp.cheat b/data/generated/cheatsheets/pcodedmp.cheat new file mode 100644 index 0000000..9ceb67f --- /dev/null +++ b/data/generated/cheatsheets/pcodedmp.cheat @@ -0,0 +1,9 @@ +# pcodedmp +# Disassemble VBA p-code. +# Category: Analyze Documents > Microsoft Office +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + +% pcodedmp + +# Show help for pcodedmp +pcodedmp --help diff --git a/data/generated/cheatsheets/pdf-parser.py.cheat b/data/generated/cheatsheets/pdf-parser.py.cheat new file mode 100644 index 0000000..f732ee8 --- /dev/null +++ b/data/generated/cheatsheets/pdf-parser.py.cheat @@ -0,0 +1,41 @@ +# pdf-parser.py +# Parse PDF structure, locate objects, extract content, and search for strings +# FOR610 Labs: 3.1 | Sections: 1, 3 | Author: Didier Stevens +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + +% pdf, static-analysis, object-extraction, didier-stevens + +# Basic usage +pdf-parser.py document.pdf -a + +# Select specific item +pdf-parser.py document.pdf -s /URI + +# Extract by keyword +pdf-parser.py document.pdf -k /URI + +# Dump/extract content +pdf-parser.py document.pdf -o 6 -d object6.jpg + + +# --- Recipes (multi-tool chains) --- + +# >> Extract Embedded Object from PDF +# Scan for suspicious keywords +pdfid.py +# Find objects containing the keyword +pdf-parser.py -s /URI +# Extract all values for that keyword +pdf-parser.py -k /URI +# Dump a specific object to file +pdf-parser.py -o -d extracted_object +# View extracted image +feh extracted_object & + +# >> Extract JavaScript from PDF +# Check if PDF contains JavaScript +pdfid.py +# Find objects with JavaScript +pdf-parser.py -s /JavaScript +# Interactive analysis with peepdf +peepdf -i diff --git a/data/generated/cheatsheets/pdfid.py.cheat b/data/generated/cheatsheets/pdfid.py.cheat new file mode 100644 index 0000000..54f764e --- /dev/null +++ b/data/generated/cheatsheets/pdfid.py.cheat @@ -0,0 +1,35 @@ +# pdfid.py +# Scan PDF files for suspicious keywords like /JavaScript, /OpenAction, /Launch without parsing +# FOR610 Labs: 3.1 | Sections: 1, 3 | Author: Didier Stevens +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + +% pdf, static-analysis, triage, didier-stevens + +# Basic usage +pdfid.py document.pdf + +# Suppress default output +pdfid.py -n document.pdf + + +# --- Recipes (multi-tool chains) --- + +# >> Extract Embedded Object from PDF +# Scan for suspicious keywords +pdfid.py +# Find objects containing the keyword +pdf-parser.py -s /URI +# Extract all values for that keyword +pdf-parser.py -k /URI +# Dump a specific object to file +pdf-parser.py -o -d extracted_object +# View extracted image +feh extracted_object & + +# >> Extract JavaScript from PDF +# Check if PDF contains JavaScript +pdfid.py +# Find objects with JavaScript +pdf-parser.py -s /JavaScript +# Interactive analysis with peepdf +peepdf -i diff --git a/data/generated/cheatsheets/pdfresurrect.cheat b/data/generated/cheatsheets/pdfresurrect.cheat new file mode 100644 index 0000000..f3cf45a --- /dev/null +++ b/data/generated/cheatsheets/pdfresurrect.cheat @@ -0,0 +1,9 @@ +# pdfresurrect +# Extract and analyze previous versions from PDF files +# Sections: 1 +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + +% pdf, versioning + +# Basic usage +pdfresurrect document.pdf diff --git a/data/generated/cheatsheets/pdftk.cheat b/data/generated/cheatsheets/pdftk.cheat new file mode 100644 index 0000000..f26596f --- /dev/null +++ b/data/generated/cheatsheets/pdftk.cheat @@ -0,0 +1,12 @@ +# pdftk +# Manipulate PDF files — merge, split, flatten, encrypt, and extract embedded content +# Sections: 3 +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + +% pdf, manipulation, extraction + +# Basic usage +pdftk input.pdf cat output output.pdf flatten + +# Alternative usage +pdftk input.pdf unpack_files diff --git a/data/generated/cheatsheets/pdftool.py.cheat b/data/generated/cheatsheets/pdftool.py.cheat new file mode 100644 index 0000000..9bcdb25 --- /dev/null +++ b/data/generated/cheatsheets/pdftool.py.cheat @@ -0,0 +1,9 @@ +# pdftool.py +# Analyze PDF incremental updates +# Sections: 1 | Author: Didier Stevens +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + +% pdf, didier-stevens + +# Basic usage +pdftool.py document.pdf diff --git a/data/generated/cheatsheets/pdnstool.cheat b/data/generated/cheatsheets/pdnstool.cheat new file mode 100644 index 0000000..39f45ce --- /dev/null +++ b/data/generated/cheatsheets/pdnstool.cheat @@ -0,0 +1,9 @@ +# pdnstool +# Query passive DNS databases for DNS data. +# Category: Gather and Analyze Data +# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + +% pdnstool + +# Show help for pdnstool +pdnstool --help diff --git a/data/generated/cheatsheets/pe-tree.cheat b/data/generated/cheatsheets/pe-tree.cheat new file mode 100644 index 0000000..23bb585 --- /dev/null +++ b/data/generated/cheatsheets/pe-tree.cheat @@ -0,0 +1,7 @@ +# pe-tree +# Installed via: pip (remnux-python3-packages-pe-tree) + +% pe-tree + +# Show help for pe-tree +pe-tree --help diff --git a/data/generated/cheatsheets/pedump.cheat b/data/generated/cheatsheets/pedump.cheat new file mode 100644 index 0000000..7de2a6e --- /dev/null +++ b/data/generated/cheatsheets/pedump.cheat @@ -0,0 +1,7 @@ +# pedump +# Installed via: gem (pedump) + +% pedump + +# Show help for pedump +pedump --help diff --git a/data/generated/cheatsheets/peepdf.cheat b/data/generated/cheatsheets/peepdf.cheat new file mode 100644 index 0000000..1b80cd7 --- /dev/null +++ b/data/generated/cheatsheets/peepdf.cheat @@ -0,0 +1,23 @@ +# peepdf +# Interactive PDF analysis framework with JavaScript detection and exploitation capabilities +# Sections: 1 +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + +% pdf, interactive, javascript-detection + +# Basic usage +peepdf -i malicious.pdf + +# Process input file +peepdf -f -i malicious.pdf + + +# --- Recipes (multi-tool chains) --- + +# >> Extract JavaScript from PDF +# Check if PDF contains JavaScript +pdfid.py +# Find objects with JavaScript +pdf-parser.py -s /JavaScript +# Interactive analysis with peepdf +peepdf -i diff --git a/data/generated/cheatsheets/peframe.cheat b/data/generated/cheatsheets/peframe.cheat new file mode 100644 index 0000000..6985c9a --- /dev/null +++ b/data/generated/cheatsheets/peframe.cheat @@ -0,0 +1,8 @@ +# peframe +# Static analysis of PE files — extract properties, detect anomalies, identify packers +# FOR610 Labs: 1.1, 4.8 | Sections: 1, 4 + +% pe, static-analysis, triage + +# Basic usage +peframe specimen.exe diff --git a/data/generated/cheatsheets/perl.cheat b/data/generated/cheatsheets/perl.cheat new file mode 100644 index 0000000..e676177 --- /dev/null +++ b/data/generated/cheatsheets/perl.cheat @@ -0,0 +1,7 @@ +# perl +# Installed via: apt (perl) + +% perl + +# Show help for perl +perl --help diff --git a/data/generated/cheatsheets/pestr.cheat b/data/generated/cheatsheets/pestr.cheat new file mode 100644 index 0000000..9f09827 --- /dev/null +++ b/data/generated/cheatsheets/pestr.cheat @@ -0,0 +1,8 @@ +# pestr +# Extract ASCII and Unicode strings from PE files +# FOR610 Labs: 1.1, 4.8 | Sections: 1, 4 + +% pe, strings, static-analysis + +# Basic usage +pestr specimen.exe diff --git a/data/generated/cheatsheets/pev.cheat b/data/generated/cheatsheets/pev.cheat new file mode 100644 index 0000000..5a735e5 --- /dev/null +++ b/data/generated/cheatsheets/pev.cheat @@ -0,0 +1,7 @@ +# pev +# Installed via: apt (remnux-packages-pev) + +% pev + +# Show help for pev +pev --help diff --git a/data/generated/cheatsheets/pgadmin.cheat b/data/generated/cheatsheets/pgadmin.cheat new file mode 100644 index 0000000..d0dd487 --- /dev/null +++ b/data/generated/cheatsheets/pgadmin.cheat @@ -0,0 +1,7 @@ +# pgadmin +# Installed via: unknown (deb) + +% pgadmin + +# Show help for pgadmin +pgadmin --help diff --git a/data/generated/cheatsheets/pip.cheat b/data/generated/cheatsheets/pip.cheat new file mode 100644 index 0000000..fed76dc --- /dev/null +++ b/data/generated/cheatsheets/pip.cheat @@ -0,0 +1,7 @@ +# pip +# Installed via: pip (pip) + +% pip + +# Show help for pip +pip --help diff --git a/data/generated/cheatsheets/pkg-config.cheat b/data/generated/cheatsheets/pkg-config.cheat new file mode 100644 index 0000000..c673c4e --- /dev/null +++ b/data/generated/cheatsheets/pkg-config.cheat @@ -0,0 +1,7 @@ +# pkg-config +# Installed via: apt (pkg-config) + +% pkg-config + +# Show help for pkg-config +pkg-config --help diff --git a/data/generated/cheatsheets/polarproxy.cheat b/data/generated/cheatsheets/polarproxy.cheat new file mode 100644 index 0000000..9771b78 --- /dev/null +++ b/data/generated/cheatsheets/polarproxy.cheat @@ -0,0 +1,8 @@ +# polarproxy +# Transparent TLS proxy that decrypts traffic and saves it as PCAP for analysis in Wireshark +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + +% network, tls, decryption, pcap + +# Basic usage +PolarProxy -p 443,80 -w captured.pcap diff --git a/data/generated/cheatsheets/portex.cheat b/data/generated/cheatsheets/portex.cheat new file mode 100644 index 0000000..adab84c --- /dev/null +++ b/data/generated/cheatsheets/portex.cheat @@ -0,0 +1,7 @@ +# portex +# Installed via: apt (portex) + +% portex + +# Show help for portex +portex --help diff --git a/data/generated/cheatsheets/powershell.cheat b/data/generated/cheatsheets/powershell.cheat new file mode 100644 index 0000000..dfe20f5 --- /dev/null +++ b/data/generated/cheatsheets/powershell.cheat @@ -0,0 +1,9 @@ +# powershell +# Run PowerShell scripts and commands. +# Category: Dynamically Reverse-Engineer Code > Scripts +# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + +% powershell + +# Show help for powershell +powershell --help diff --git a/data/generated/cheatsheets/prefer-ipv4.cheat b/data/generated/cheatsheets/prefer-ipv4.cheat new file mode 100644 index 0000000..8320f70 --- /dev/null +++ b/data/generated/cheatsheets/prefer-ipv4.cheat @@ -0,0 +1,7 @@ +# prefer-ipv4 +# Installed via: unknown (prefer-ipv4) + +% prefer-ipv4 + +# Show help for prefer-ipv4 +prefer-ipv4 --help diff --git a/data/generated/cheatsheets/procdot.cheat b/data/generated/cheatsheets/procdot.cheat new file mode 100644 index 0000000..c74e6ab --- /dev/null +++ b/data/generated/cheatsheets/procdot.cheat @@ -0,0 +1,9 @@ +# ProcDOT +# Visualize Process Monitor logs as interactive graphs for behavioral analysis +# FOR610 Labs: 1.2, 4.5 | Sections: 1, 4 +# Docs: https://docs.remnux.org/discover-the-tools/investigate+system+interactions + +% visualization, process-monitor, behavioral + +# Basic usage +procdot diff --git a/data/generated/cheatsheets/procyon-decompiler.cheat b/data/generated/cheatsheets/procyon-decompiler.cheat new file mode 100644 index 0000000..42e41ff --- /dev/null +++ b/data/generated/cheatsheets/procyon-decompiler.cheat @@ -0,0 +1,7 @@ +# procyon-decompiler +# Installed via: apt (procyon-decompiler) + +% procyon-decompiler + +# Show help for procyon-decompiler +procyon-decompiler --help diff --git a/data/generated/cheatsheets/procyon.cheat b/data/generated/cheatsheets/procyon.cheat new file mode 100644 index 0000000..897459a --- /dev/null +++ b/data/generated/cheatsheets/procyon.cheat @@ -0,0 +1,9 @@ +# Procyon +# Java decompiler. +# Category: Statically Analyze Code > Java +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/java + +% procyon + +# Show help for Procyon +Procyon --help diff --git a/data/generated/cheatsheets/protobuf.cheat b/data/generated/cheatsheets/protobuf.cheat new file mode 100644 index 0000000..5dc0c03 --- /dev/null +++ b/data/generated/cheatsheets/protobuf.cheat @@ -0,0 +1,7 @@ +# protobuf +# Installed via: pip (remnux-python3-packages-protobuf-install) + +% protobuf + +# Show help for protobuf +protobuf --help diff --git a/data/generated/cheatsheets/pycdc.cheat b/data/generated/cheatsheets/pycdc.cheat new file mode 100644 index 0000000..0f94e53 --- /dev/null +++ b/data/generated/cheatsheets/pycdc.cheat @@ -0,0 +1,7 @@ +# pycdc +# Installed via: apt (pycdc) + +% pycdc + +# Show help for pycdc +pycdc --help diff --git a/data/generated/cheatsheets/pyelftools.cheat b/data/generated/cheatsheets/pyelftools.cheat new file mode 100644 index 0000000..9504bdf --- /dev/null +++ b/data/generated/cheatsheets/pyelftools.cheat @@ -0,0 +1,7 @@ +# pyelftools +# Installed via: pip (remnux-python3-packages-pyelftools) + +% pyelftools + +# Show help for pyelftools +pyelftools --help diff --git a/data/generated/cheatsheets/pyinstaller-extractor.cheat b/data/generated/cheatsheets/pyinstaller-extractor.cheat new file mode 100644 index 0000000..4586fc5 --- /dev/null +++ b/data/generated/cheatsheets/pyinstaller-extractor.cheat @@ -0,0 +1,9 @@ +# pyinstaller-extractor +# Extract contents of a PyInstaller-generated PE files. +# Category: Statically Analyze Code > Python +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/python + +% pyinstaller-extractor + +# Show help for pyinstaller-extractor +pyinstaller-extractor --help diff --git a/data/generated/cheatsheets/pyinstxtractor-ng.cheat b/data/generated/cheatsheets/pyinstxtractor-ng.cheat new file mode 100644 index 0000000..386fa31 --- /dev/null +++ b/data/generated/cheatsheets/pyinstxtractor-ng.cheat @@ -0,0 +1,8 @@ +# pyinstxtractor-ng +# Extract contents of PyInstaller-generated executables without needing matching Python version +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/python + +% python, pyinstaller, extraction + +# Basic usage +pyinstxtractor-ng diff --git a/data/generated/cheatsheets/python-debian.cheat b/data/generated/cheatsheets/python-debian.cheat new file mode 100644 index 0000000..c6de3ec --- /dev/null +++ b/data/generated/cheatsheets/python-debian.cheat @@ -0,0 +1,7 @@ +# python-debian +# Installed via: pip (python-debian) + +% python-debian + +# Show help for python-debian +python-debian --help diff --git a/data/generated/cheatsheets/python3-cryptography.cheat b/data/generated/cheatsheets/python3-cryptography.cheat new file mode 100644 index 0000000..e3a1e08 --- /dev/null +++ b/data/generated/cheatsheets/python3-cryptography.cheat @@ -0,0 +1,7 @@ +# python3-cryptography +# Installed via: apt (remnux-packages-python3-cryptography) + +% python3-cryptography + +# Show help for python3-cryptography +python3-cryptography --help diff --git a/data/generated/cheatsheets/python3-dev.cheat b/data/generated/cheatsheets/python3-dev.cheat new file mode 100644 index 0000000..67c6a2e --- /dev/null +++ b/data/generated/cheatsheets/python3-dev.cheat @@ -0,0 +1,7 @@ +# python3-dev +# Installed via: apt (python3-dev) + +% python3-dev + +# Show help for python3-dev +python3-dev --help diff --git a/data/generated/cheatsheets/python3-dnspython.cheat b/data/generated/cheatsheets/python3-dnspython.cheat new file mode 100644 index 0000000..e5df5a6 --- /dev/null +++ b/data/generated/cheatsheets/python3-dnspython.cheat @@ -0,0 +1,7 @@ +# python3-dnspython +# Installed via: apt (python3-dnspython) + +% python3-dnspython + +# Show help for python3-dnspython +python3-dnspython --help diff --git a/data/generated/cheatsheets/python3-magic.cheat b/data/generated/cheatsheets/python3-magic.cheat new file mode 100644 index 0000000..5e8daea --- /dev/null +++ b/data/generated/cheatsheets/python3-magic.cheat @@ -0,0 +1,7 @@ +# python3-magic +# Installed via: apt (python3-magic) + +% python3-magic + +# Show help for python3-magic +python3-magic --help diff --git a/data/generated/cheatsheets/python3-netifaces.cheat b/data/generated/cheatsheets/python3-netifaces.cheat new file mode 100644 index 0000000..59a69ab --- /dev/null +++ b/data/generated/cheatsheets/python3-netifaces.cheat @@ -0,0 +1,7 @@ +# python3-netifaces +# Installed via: apt (python3-netifaces) + +% python3-netifaces + +# Show help for python3-netifaces +python3-netifaces --help diff --git a/data/generated/cheatsheets/python3-numpy.cheat b/data/generated/cheatsheets/python3-numpy.cheat new file mode 100644 index 0000000..4be4f2b --- /dev/null +++ b/data/generated/cheatsheets/python3-numpy.cheat @@ -0,0 +1,7 @@ +# python3-numpy +# Installed via: apt (python3-numpy) + +% python3-numpy + +# Show help for python3-numpy +python3-numpy --help diff --git a/data/generated/cheatsheets/python3-pil.cheat b/data/generated/cheatsheets/python3-pil.cheat new file mode 100644 index 0000000..c49b5c8 --- /dev/null +++ b/data/generated/cheatsheets/python3-pil.cheat @@ -0,0 +1,7 @@ +# python3-pil +# Installed via: apt (python3-pil) + +% python3-pil + +# Show help for python3-pil +python3-pil --help diff --git a/data/generated/cheatsheets/python3-pip.cheat b/data/generated/cheatsheets/python3-pip.cheat new file mode 100644 index 0000000..fe9c4b2 --- /dev/null +++ b/data/generated/cheatsheets/python3-pip.cheat @@ -0,0 +1,7 @@ +# python3-pip +# Installed via: pip (python3-pip) + +% python3-pip + +# Show help for python3-pip +python3-pip --help diff --git a/data/generated/cheatsheets/python3-pyasn1.cheat b/data/generated/cheatsheets/python3-pyasn1.cheat new file mode 100644 index 0000000..c88091e --- /dev/null +++ b/data/generated/cheatsheets/python3-pyasn1.cheat @@ -0,0 +1,7 @@ +# python3-pyasn1 +# Installed via: apt (python3-pyasn1) + +% python3-pyasn1 + +# Show help for python3-pyasn1 +python3-pyasn1 --help diff --git a/data/generated/cheatsheets/python3-pyqt5.cheat b/data/generated/cheatsheets/python3-pyqt5.cheat new file mode 100644 index 0000000..8ba3e50 --- /dev/null +++ b/data/generated/cheatsheets/python3-pyqt5.cheat @@ -0,0 +1,7 @@ +# python3-pyqt5 +# Installed via: apt (python3-pyqt5) + +% python3-pyqt5 + +# Show help for python3-pyqt5 +python3-pyqt5 --help diff --git a/data/generated/cheatsheets/python3-requests.cheat b/data/generated/cheatsheets/python3-requests.cheat new file mode 100644 index 0000000..48e8ab0 --- /dev/null +++ b/data/generated/cheatsheets/python3-requests.cheat @@ -0,0 +1,7 @@ +# python3-requests +# Installed via: apt (remnux-packages-python3-requests) + +% python3-requests + +# Show help for python3-requests +python3-requests --help diff --git a/data/generated/cheatsheets/python3-setuptools.cheat b/data/generated/cheatsheets/python3-setuptools.cheat new file mode 100644 index 0000000..9a718fe --- /dev/null +++ b/data/generated/cheatsheets/python3-setuptools.cheat @@ -0,0 +1,7 @@ +# python3-setuptools +# Installed via: apt (remnux-packages-python3-setuptools) + +% python3-setuptools + +# Show help for python3-setuptools +python3-setuptools --help diff --git a/data/generated/cheatsheets/python3-ssdeep.cheat b/data/generated/cheatsheets/python3-ssdeep.cheat new file mode 100644 index 0000000..2d535b8 --- /dev/null +++ b/data/generated/cheatsheets/python3-ssdeep.cheat @@ -0,0 +1,7 @@ +# python3-ssdeep +# Installed via: apt (python3-ssdeep) + +% python3-ssdeep + +# Show help for python3-ssdeep +python3-ssdeep --help diff --git a/data/generated/cheatsheets/python3-tk.cheat b/data/generated/cheatsheets/python3-tk.cheat new file mode 100644 index 0000000..8bdba6b --- /dev/null +++ b/data/generated/cheatsheets/python3-tk.cheat @@ -0,0 +1,7 @@ +# python3-tk +# Installed via: apt (python3-tk) + +% python3-tk + +# Show help for python3-tk +python3-tk --help diff --git a/data/generated/cheatsheets/python3-venv.cheat b/data/generated/cheatsheets/python3-venv.cheat new file mode 100644 index 0000000..abf8a75 --- /dev/null +++ b/data/generated/cheatsheets/python3-venv.cheat @@ -0,0 +1,7 @@ +# python3-venv +# Installed via: apt (python3-venv) + +% python3-venv + +# Show help for python3-venv +python3-venv --help diff --git a/data/generated/cheatsheets/python3-virtualenv.cheat b/data/generated/cheatsheets/python3-virtualenv.cheat new file mode 100644 index 0000000..fbbd841 --- /dev/null +++ b/data/generated/cheatsheets/python3-virtualenv.cheat @@ -0,0 +1,7 @@ +# python3-virtualenv +# Installed via: apt (python3-virtualenv) + +% python3-virtualenv + +# Show help for python3-virtualenv +python3-virtualenv --help diff --git a/data/generated/cheatsheets/python3-wheel.cheat b/data/generated/cheatsheets/python3-wheel.cheat new file mode 100644 index 0000000..46a7ac1 --- /dev/null +++ b/data/generated/cheatsheets/python3-wheel.cheat @@ -0,0 +1,7 @@ +# python3-wheel +# Installed via: apt (remnux-packages-python3-wheel) + +% python3-wheel + +# Show help for python3-wheel +python3-wheel --help diff --git a/data/generated/cheatsheets/python3.cheat b/data/generated/cheatsheets/python3.cheat new file mode 100644 index 0000000..8670f96 --- /dev/null +++ b/data/generated/cheatsheets/python3.cheat @@ -0,0 +1,7 @@ +# python3 +# Installed via: apt (python3) + +% python3 + +# Show help for python3 +python3 --help diff --git a/data/generated/cheatsheets/qiling.cheat b/data/generated/cheatsheets/qiling.cheat new file mode 100644 index 0000000..b237988 --- /dev/null +++ b/data/generated/cheatsheets/qiling.cheat @@ -0,0 +1,8 @@ +# qiling +# Multi-platform binary emulation framework — emulate PE, ELF, shellcode across OS/arch combinations +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/general + +% emulation, multi-platform, binary-analysis + +# Basic usage +python3 -c "from qiling import Qiling; ql = Qiling([''], '/path/to/rootfs')" diff --git a/data/generated/cheatsheets/qpdf.cheat b/data/generated/cheatsheets/qpdf.cheat new file mode 100644 index 0000000..089f446 --- /dev/null +++ b/data/generated/cheatsheets/qpdf.cheat @@ -0,0 +1,9 @@ +# qpdf +# Decrypt, linearize, and transform PDF files — useful for removing password protection +# Sections: 3 +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + +% pdf, decryption, transformation + +# Basic usage +qpdf --decrypt encrypted.pdf output.pdf diff --git a/data/generated/cheatsheets/qtbase5-dev.cheat b/data/generated/cheatsheets/qtbase5-dev.cheat new file mode 100644 index 0000000..b2bfcfc --- /dev/null +++ b/data/generated/cheatsheets/qtbase5-dev.cheat @@ -0,0 +1,7 @@ +# qtbase5-dev +# Installed via: apt (qtbase5-dev) + +% qtbase5-dev + +# Show help for qtbase5-dev +qtbase5-dev --help diff --git a/data/generated/cheatsheets/radare2.cheat b/data/generated/cheatsheets/radare2.cheat new file mode 100644 index 0000000..474677d --- /dev/null +++ b/data/generated/cheatsheets/radare2.cheat @@ -0,0 +1,9 @@ +# radare2 +# Open-source reverse engineering command-line framework +# Sections: 2 +# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general + +% disassembly, cli, open-source + +# Basic usage +r2 specimen.exe diff --git a/data/generated/cheatsheets/rar.cheat b/data/generated/cheatsheets/rar.cheat new file mode 100644 index 0000000..2377299 --- /dev/null +++ b/data/generated/cheatsheets/rar.cheat @@ -0,0 +1,9 @@ +# rar +# Extract RAR archives (including self-extracting RAR payloads) +# FOR610 Labs: 3.5 | Sections: 3 +# Docs: https://docs.remnux.org/discover-the-tools/general+utilities + +% archive, extraction + +# Basic usage +rar x archive.rar diff --git a/data/generated/cheatsheets/re-search.py.cheat b/data/generated/cheatsheets/re-search.py.cheat new file mode 100644 index 0000000..8ac3533 --- /dev/null +++ b/data/generated/cheatsheets/re-search.py.cheat @@ -0,0 +1,9 @@ +# re-search.py +# Search the file for built-in regular expressions of common suspicious artifacts. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% re-search.py + +# Show help for re-search.py +re-search.py --help diff --git a/data/generated/cheatsheets/redress.cheat b/data/generated/cheatsheets/redress.cheat new file mode 100644 index 0000000..3799a0f --- /dev/null +++ b/data/generated/cheatsheets/redress.cheat @@ -0,0 +1,9 @@ +# redress +# Analyze stripped Go binaries to recover symbols, types, source structure, and integrate with Radare2. +# Category: Examine Static Properties > Go +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/go + +% redress + +# Show help for redress +redress --help diff --git a/data/generated/cheatsheets/refresh.cheat b/data/generated/cheatsheets/refresh.cheat new file mode 100644 index 0000000..b9f533f --- /dev/null +++ b/data/generated/cheatsheets/refresh.cheat @@ -0,0 +1,7 @@ +# refresh +# Installed via: unknown (pkg.refresh_db) + +% refresh + +# Show help for refresh +refresh --help diff --git a/data/generated/cheatsheets/remnux-installer.cheat b/data/generated/cheatsheets/remnux-installer.cheat new file mode 100644 index 0000000..6d6906f --- /dev/null +++ b/data/generated/cheatsheets/remnux-installer.cheat @@ -0,0 +1,9 @@ +# REMnux Installer +# Install and update the REMnux distro. +# Category: General Utilities +# Docs: https://docs.remnux.org/discover-the-tools/general+utilities + +% remnux-installer + +# Show help for REMnux Installer +REMnux Installer --help diff --git a/data/generated/cheatsheets/remnux-mcp-server.cheat b/data/generated/cheatsheets/remnux-mcp-server.cheat new file mode 100644 index 0000000..b91c326 --- /dev/null +++ b/data/generated/cheatsheets/remnux-mcp-server.cheat @@ -0,0 +1,9 @@ +# remnux-mcp-server +# MCP server for using the REMnux malware analysis toolkit via AI assistants. +# Category: Use Artificial Intelligence +# Docs: https://docs.remnux.org/discover-the-tools/use+artificial+intelligence + +% remnux-mcp-server + +# Show help for remnux-mcp-server +remnux-mcp-server --help diff --git a/data/generated/cheatsheets/remnux.cheat b/data/generated/cheatsheets/remnux.cheat new file mode 100644 index 0000000..ad6e1d2 --- /dev/null +++ b/data/generated/cheatsheets/remnux.cheat @@ -0,0 +1,7 @@ +# remnux +# Installed via: manual (remnux) + +% remnux + +# Show help for remnux +remnux --help diff --git a/data/generated/cheatsheets/remove-app-icons.cheat b/data/generated/cheatsheets/remove-app-icons.cheat new file mode 100644 index 0000000..48d94e2 --- /dev/null +++ b/data/generated/cheatsheets/remove-app-icons.cheat @@ -0,0 +1,7 @@ +# remove-app-icons +# Installed via: unknown (remove-app-icons) + +% remove-app-icons + +# Show help for remove-app-icons +remove-app-icons --help diff --git a/data/generated/cheatsheets/rhino.cheat b/data/generated/cheatsheets/rhino.cheat new file mode 100644 index 0000000..d71db3b --- /dev/null +++ b/data/generated/cheatsheets/rhino.cheat @@ -0,0 +1,7 @@ +# rhino +# Installed via: apt (rhino) + +% rhino + +# Show help for rhino +rhino --help diff --git a/data/generated/cheatsheets/rsakeyfind.cheat b/data/generated/cheatsheets/rsakeyfind.cheat new file mode 100644 index 0000000..0a4a425 --- /dev/null +++ b/data/generated/cheatsheets/rsakeyfind.cheat @@ -0,0 +1,7 @@ +# rsakeyfind +# Installed via: apt (rsakeyfind) + +% rsakeyfind + +# Show help for rsakeyfind +rsakeyfind --help diff --git a/data/generated/cheatsheets/rsakeyfinder.cheat b/data/generated/cheatsheets/rsakeyfinder.cheat new file mode 100644 index 0000000..41dfce5 --- /dev/null +++ b/data/generated/cheatsheets/rsakeyfinder.cheat @@ -0,0 +1,9 @@ +# RSAKeyFinder +# Find BER-encoded RSA private keys in a memory image. +# Category: Perform Memory Forensics +# Docs: https://docs.remnux.org/discover-the-tools/perform+memory+forensics + +% rsakeyfinder + +# Show help for RSAKeyFinder +RSAKeyFinder --help diff --git a/data/generated/cheatsheets/rtfdump.py.cheat b/data/generated/cheatsheets/rtfdump.py.cheat new file mode 100644 index 0000000..c3f1caa --- /dev/null +++ b/data/generated/cheatsheets/rtfdump.py.cheat @@ -0,0 +1,25 @@ +# rtfdump.py +# Analyze RTF file structure, identify hex-encoded groups and embedded objects +# FOR610 Labs: 3.5 | Sections: 3 | Author: Didier Stevens +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + +% rtf, document, didier-stevens + +# Basic usage +rtfdump.py document.rtf + +# Select specific item +rtfdump.py document.rtf -s 5 -H -d > extracted.bin + + +# --- Recipes (multi-tool chains) --- + +# >> Extract Shellcode from RTF Document +# Scan RTF structure — look for groups with lots of hex data +rtfdump.py +# Extract the hex-heavy group as binary +rtfdump.py -s -H -d > extracted.bin +# Scan for shellcode patterns (even XOR-encoded) +XORSearch -W -d 3 extracted.bin +# Emulate shellcode at found offset +scdbgc /f extracted.bin /foff /s -1 diff --git a/data/generated/cheatsheets/ruby-dev.cheat b/data/generated/cheatsheets/ruby-dev.cheat new file mode 100644 index 0000000..2ea3d42 --- /dev/null +++ b/data/generated/cheatsheets/ruby-dev.cheat @@ -0,0 +1,7 @@ +# ruby-dev +# Installed via: apt (ruby-dev) + +% ruby-dev + +# Show help for ruby-dev +ruby-dev --help diff --git a/data/generated/cheatsheets/ruby.cheat b/data/generated/cheatsheets/ruby.cheat new file mode 100644 index 0000000..30d23cc --- /dev/null +++ b/data/generated/cheatsheets/ruby.cheat @@ -0,0 +1,7 @@ +# ruby +# Installed via: apt (ruby) + +% ruby + +# Show help for ruby +ruby --help diff --git a/data/generated/cheatsheets/runsc32.cheat b/data/generated/cheatsheets/runsc32.cheat new file mode 100644 index 0000000..7d921b0 --- /dev/null +++ b/data/generated/cheatsheets/runsc32.cheat @@ -0,0 +1,9 @@ +# runsc32 +# Execute extracted shellcode for dynamic analysis +# FOR610 Labs: 3.5, 4.6 | Sections: 3, 4 +# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode + +% shellcode, execution, dynamic-analysis + +# Basic usage +runsc32 -f shellcode.bin -o 0x3B -d qa.doc diff --git a/data/generated/cheatsheets/salt-minion.cheat b/data/generated/cheatsheets/salt-minion.cheat new file mode 100644 index 0000000..98429fe --- /dev/null +++ b/data/generated/cheatsheets/salt-minion.cheat @@ -0,0 +1,7 @@ +# salt-minion +# Installed via: unknown (salt-minion) + +% salt-minion + +# Show help for salt-minion +salt-minion --help diff --git a/data/generated/cheatsheets/sandfly-processdecloak.cheat b/data/generated/cheatsheets/sandfly-processdecloak.cheat new file mode 100644 index 0000000..83bf83f --- /dev/null +++ b/data/generated/cheatsheets/sandfly-processdecloak.cheat @@ -0,0 +1,9 @@ +# sandfly-processdecloak +# Find hidden processes on the local Linux system. +# Category: Investigate System Interactions +# Docs: https://docs.remnux.org/discover-the-tools/investigate+system+interactions + +% sandfly-processdecloak + +# Show help for sandfly-processdecloak +sandfly-processdecloak --help diff --git a/data/generated/cheatsheets/scalpel.cheat b/data/generated/cheatsheets/scalpel.cheat new file mode 100644 index 0000000..01b35b2 --- /dev/null +++ b/data/generated/cheatsheets/scalpel.cheat @@ -0,0 +1,9 @@ +# scalpel +# Carve contents out of binary files, such as partitions. +# Category: Gather and Analyze Data +# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + +% scalpel + +# Show help for scalpel +scalpel --help diff --git a/data/generated/cheatsheets/scdbgc.cheat b/data/generated/cheatsheets/scdbgc.cheat new file mode 100644 index 0000000..37f048b --- /dev/null +++ b/data/generated/cheatsheets/scdbgc.cheat @@ -0,0 +1,49 @@ +# scdbgc +# Shellcode emulator — analyze shellcode behavior through API-level emulation +# FOR610 Labs: 3.4, 3.5, 4.6 | Sections: 3, 4 +# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode + +% shellcode, emulation, api-calls + +# Basic usage +scdbgc /f shellcode.bin /s -1 + +# Alternative usage +scdbgc /f shellcode.bin /foff 0x3B /fopen qa.doc + +# Alternative usage +scdbgc /f shellcode.bin /s -1 /norw + + +# --- Recipes (multi-tool chains) --- + +# >> Full Office Macro Decode Chain +# Step 1: List streams and extract VBA +oledump.py +oledump.py -s -v +# Step 2: Extract Base64 from data stream +oledump.py -s -d | base64dump.py -s 1 -d > stage1.ps1 +# Step 3: Decode second Base64 layer + decompress +base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1 +# Step 4: XOR decode the shellcode +base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin +# Step 5: Emulate the shellcode +scdbgc /f shellcode.bin /s -1 + +# >> Extract Shellcode from RTF Document +# Scan RTF structure — look for groups with lots of hex data +rtfdump.py +# Extract the hex-heavy group as binary +rtfdump.py -s -H -d > extracted.bin +# Scan for shellcode patterns (even XOR-encoded) +XORSearch -W -d 3 extracted.bin +# Emulate shellcode at found offset +scdbgc /f extracted.bin /foff /s -1 + +# >> Emulate Shellcode at Specific Offset +# Emulate from file start +scdbgc /f /s -1 +# Emulate from specific offset (hex) +scdbgc /f /foff /s -1 +# Emulate with a file handle pre-opened (for exploits) +scdbgc /f /foff /fopen /s -1 diff --git a/data/generated/cheatsheets/scite.cheat b/data/generated/cheatsheets/scite.cheat new file mode 100644 index 0000000..a19b54d --- /dev/null +++ b/data/generated/cheatsheets/scite.cheat @@ -0,0 +1,9 @@ +# scite +# Edit text files. +# Category: View or Edit Files +# Docs: https://docs.remnux.org/discover-the-tools/view+or+edit+files + +% scite + +# Show help for scite +scite --help diff --git a/data/generated/cheatsheets/sets.py.cheat b/data/generated/cheatsheets/sets.py.cheat new file mode 100644 index 0000000..b00e3e1 --- /dev/null +++ b/data/generated/cheatsheets/sets.py.cheat @@ -0,0 +1,9 @@ +# sets.py +# Perform set operations on lines or bytes in text files. +# Category: Examine Static Properties > Deobfuscation +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% sets.py + +# Show help for sets.py +sets.py --help diff --git a/data/generated/cheatsheets/sharutils.cheat b/data/generated/cheatsheets/sharutils.cheat new file mode 100644 index 0000000..c303039 --- /dev/null +++ b/data/generated/cheatsheets/sharutils.cheat @@ -0,0 +1,7 @@ +# sharutils +# Installed via: apt (sharutils) + +% sharutils + +# Show help for sharutils +sharutils --help diff --git a/data/generated/cheatsheets/shcode2exe.cheat b/data/generated/cheatsheets/shcode2exe.cheat new file mode 100644 index 0000000..8eaf2fc --- /dev/null +++ b/data/generated/cheatsheets/shcode2exe.cheat @@ -0,0 +1,15 @@ +# shcode2exe +# Convert raw shellcode to a Windows PE executable for analysis in disassemblers +# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode + +% shellcode, conversion, pe + +# Basic usage +shcode2exe + + +# --- Recipes (multi-tool chains) --- + +# >> Convert Shellcode to Executable +# Convert 32-bit shellcode to EXE +shcode2exe diff --git a/data/generated/cheatsheets/shellcode2exe-bat.cheat b/data/generated/cheatsheets/shellcode2exe-bat.cheat new file mode 100644 index 0000000..7c7b5cc --- /dev/null +++ b/data/generated/cheatsheets/shellcode2exe-bat.cheat @@ -0,0 +1,9 @@ +# shellcode2exe-bat +# Convert 32 and 64-bit shellcode to a Windows executable file. +# Category: Dynamically Reverse-Engineer Code > Shellcode +# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode + +% shellcode2exe-bat + +# Show help for shellcode2exe-bat +shellcode2exe-bat --help diff --git a/data/generated/cheatsheets/sift.cheat b/data/generated/cheatsheets/sift.cheat new file mode 100644 index 0000000..209d772 --- /dev/null +++ b/data/generated/cheatsheets/sift.cheat @@ -0,0 +1,7 @@ +# sift +# Installed via: unknown (sift) + +% sift + +# Show help for sift +sift --help diff --git a/data/generated/cheatsheets/signsrch.cheat b/data/generated/cheatsheets/signsrch.cheat new file mode 100644 index 0000000..687b043 --- /dev/null +++ b/data/generated/cheatsheets/signsrch.cheat @@ -0,0 +1,9 @@ +# signsrch +# Find patterns of common encryption, compression, or encoding algorithms. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% signsrch + +# Show help for signsrch +signsrch --help diff --git a/data/generated/cheatsheets/sleuth-kit.cheat b/data/generated/cheatsheets/sleuth-kit.cheat new file mode 100644 index 0000000..748cf55 --- /dev/null +++ b/data/generated/cheatsheets/sleuth-kit.cheat @@ -0,0 +1,9 @@ +# Sleuth Kit +# Analyze disk images and recover files from them. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% sleuth-kit + +# Show help for Sleuth Kit +Sleuth Kit --help diff --git a/data/generated/cheatsheets/sleuthkit.cheat b/data/generated/cheatsheets/sleuthkit.cheat new file mode 100644 index 0000000..777991e --- /dev/null +++ b/data/generated/cheatsheets/sleuthkit.cheat @@ -0,0 +1,7 @@ +# sleuthkit +# Installed via: apt (remnux-packages-sleuthkit) + +% sleuthkit + +# Show help for sleuthkit +sleuthkit --help diff --git a/data/generated/cheatsheets/snap.cheat b/data/generated/cheatsheets/snap.cheat new file mode 100644 index 0000000..788eb68 --- /dev/null +++ b/data/generated/cheatsheets/snap.cheat @@ -0,0 +1,7 @@ +# snap +# Installed via: apt (remnux-package-snap) + +% snap + +# Show help for snap +snap --help diff --git a/data/generated/cheatsheets/snapd.cheat b/data/generated/cheatsheets/snapd.cheat new file mode 100644 index 0000000..506230d --- /dev/null +++ b/data/generated/cheatsheets/snapd.cheat @@ -0,0 +1,7 @@ +# snapd +# Installed via: apt (remnux-package-snapd) + +% snapd + +# Show help for snapd +snapd --help diff --git a/data/generated/cheatsheets/software-properties-common.cheat b/data/generated/cheatsheets/software-properties-common.cheat new file mode 100644 index 0000000..f204feb --- /dev/null +++ b/data/generated/cheatsheets/software-properties-common.cheat @@ -0,0 +1,7 @@ +# software-properties-common +# Installed via: apt (software-properties-common) + +% software-properties-common + +# Show help for software-properties-common +software-properties-common --help diff --git a/data/generated/cheatsheets/sortcanon.py.cheat b/data/generated/cheatsheets/sortcanon.py.cheat new file mode 100644 index 0000000..4ce1111 --- /dev/null +++ b/data/generated/cheatsheets/sortcanon.py.cheat @@ -0,0 +1,9 @@ +# sortcanon.py +# Sort text files using canonicalization functions built into this tool. +# Category: General Utilities +# Docs: https://docs.remnux.org/discover-the-tools/general+utilities + +% sortcanon.py + +# Show help for sortcanon.py +sortcanon.py --help diff --git a/data/generated/cheatsheets/speakeasy.cheat b/data/generated/cheatsheets/speakeasy.cheat new file mode 100644 index 0000000..9a0b52b --- /dev/null +++ b/data/generated/cheatsheets/speakeasy.cheat @@ -0,0 +1,23 @@ +# speakeasy +# Windows binary emulator — emulates API calls to analyze malware behavior without native execution +# FOR610 Labs: 1.4 | Sections: 1 +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files + +% emulation, api-calls, behavioral-analysis + +# Basic usage +speakeasy -t specimen.exe -o report.json 2> report.txt + +# Show all results +speakeasy -t shellcode.bin -r -a x86 + + +# --- Recipes (multi-tool chains) --- + +# >> Emulate Malware and Extract API Calls +# Emulate and capture both JSON report and text log +speakeasy -t -o report.json 2> report.txt +# Extract all API names called +jq '.entry_points[].apis[].api_name' report.json +# Extract unique API names +jq -r '.entry_points[].apis[].api_name' report.json | sort -u diff --git a/data/generated/cheatsheets/spidermonkey.cheat b/data/generated/cheatsheets/spidermonkey.cheat new file mode 100644 index 0000000..49f3638 --- /dev/null +++ b/data/generated/cheatsheets/spidermonkey.cheat @@ -0,0 +1,35 @@ +# SpiderMonkey +# Mozilla JavaScript engine — execute and deobfuscate malicious JavaScript outside a browser +# FOR610 Labs: 3.6, 3.7, 4.5 | Sections: 3, 4 +# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + +% javascript, deobfuscation, execution + +# Basic usage +js -f malicious.js + +# Process input file +js -f /usr/share/remnux/objects.js -f malicious.js > decoded.js + + +# --- Recipes (multi-tool chains) --- + +# >> Deobfuscate JavaScript with SpiderMonkey +# Beautify compressed JavaScript +js-beautify > readable.js +# Execute with objects.js to simulate browser/WScript APIs +js -f /usr/share/remnux/objects.js -f > decoded.js +# If script expects location.href, edit objects.js first: +cp /usr/share/remnux/objects.js . +# Edit objects.js to set: location = { href: 'http://expected-url' } +js -f objects.js -f > decoded.js + +# >> Clean Null Bytes from UTF-16 JavaScript +# Check for null bytes (look for 00 in hex) +xxd | head -2 +# Remove null bytes +cat | tr -d '\00' > clean.js +# Then deobfuscate +js -f /usr/share/remnux/objects.js -f clean.js > decoded.js +# Beautify the result +js-beautify decoded.js > final.js diff --git a/data/generated/cheatsheets/sqlite.cheat b/data/generated/cheatsheets/sqlite.cheat new file mode 100644 index 0000000..2d3cecb --- /dev/null +++ b/data/generated/cheatsheets/sqlite.cheat @@ -0,0 +1,9 @@ +# SQLite +# Manage and interact with SQL database files. +# Category: General Utilities +# Docs: https://docs.remnux.org/discover-the-tools/general+utilities + +% sqlite + +# Show help for SQLite +SQLite --help diff --git a/data/generated/cheatsheets/ssdeep.cheat b/data/generated/cheatsheets/ssdeep.cheat new file mode 100644 index 0000000..708c591 --- /dev/null +++ b/data/generated/cheatsheets/ssdeep.cheat @@ -0,0 +1,14 @@ +# ssdeep +# Compute fuzzy hashes (CTPH) for finding similar files — useful for malware variant clustering +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% hashing, fuzzy, similarity, clustering + +# Basic usage +ssdeep + +# Save output to file +ssdeep -m + +# Dump/extract content +ssdeep -d diff --git a/data/generated/cheatsheets/ssh.cheat b/data/generated/cheatsheets/ssh.cheat new file mode 100644 index 0000000..af98fd4 --- /dev/null +++ b/data/generated/cheatsheets/ssh.cheat @@ -0,0 +1,7 @@ +# ssh +# Installed via: unknown (ssh) + +% ssh + +# Show help for ssh +ssh --help diff --git a/data/generated/cheatsheets/ssview.cheat b/data/generated/cheatsheets/ssview.cheat new file mode 100644 index 0000000..a475a04 --- /dev/null +++ b/data/generated/cheatsheets/ssview.cheat @@ -0,0 +1,9 @@ +# ssview +# Analyze OLE2 Structured Storage files. +# Category: Analyze Documents > Microsoft Office +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + +% ssview + +# Show help for ssview +ssview --help diff --git a/data/generated/cheatsheets/strace.cheat b/data/generated/cheatsheets/strace.cheat new file mode 100644 index 0000000..72f2bdc --- /dev/null +++ b/data/generated/cheatsheets/strace.cheat @@ -0,0 +1,7 @@ +# strace +# Installed via: apt (strace) + +% strace + +# Show help for strace +strace --help diff --git a/data/generated/cheatsheets/strdeob.pl.cheat b/data/generated/cheatsheets/strdeob.pl.cheat new file mode 100644 index 0000000..79464ac --- /dev/null +++ b/data/generated/cheatsheets/strdeob.pl.cheat @@ -0,0 +1,20 @@ +# strdeob.pl +# Automatically decode stack-built strings from disassembled malware +# FOR610 Labs: 5.2 | Sections: 5 +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% stack-strings, deobfuscation + +# Basic usage +strdeob.pl specimen.exe + + +# --- Recipes (multi-tool chains) --- + +# >> Extract Stack-Built Strings +# Automatic stack string recovery +strdeob.pl +# FLOSS automatic deobfuscation (static + stack + decoded) +floss +# FLOSS skip static strings, only show decoded +floss --no-static -- diff --git a/data/generated/cheatsheets/strings.cheat b/data/generated/cheatsheets/strings.cheat new file mode 100644 index 0000000..1f22124 --- /dev/null +++ b/data/generated/cheatsheets/strings.cheat @@ -0,0 +1,15 @@ +# strings +# Extract printable ASCII and Unicode strings from binary files +# FOR610 Labs: 3.4, 5.2 | Sections: 1, 3 +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% strings, static-analysis, triage + +# Basic usage +strings binary.exe + +# Suppress default output +strings -n 10 binary.exe + +# Alternative usage +strings --encoding=l binary.exe diff --git a/data/generated/cheatsheets/subversion.cheat b/data/generated/cheatsheets/subversion.cheat new file mode 100644 index 0000000..9d56a92 --- /dev/null +++ b/data/generated/cheatsheets/subversion.cheat @@ -0,0 +1,7 @@ +# subversion +# Installed via: apt (subversion) + +% subversion + +# Show help for subversion +subversion --help diff --git a/data/generated/cheatsheets/sudo.cheat b/data/generated/cheatsheets/sudo.cheat new file mode 100644 index 0000000..4b2c920 --- /dev/null +++ b/data/generated/cheatsheets/sudo.cheat @@ -0,0 +1,7 @@ +# sudo +# Installed via: apt (sudo) + +% sudo + +# Show help for sudo +sudo --help diff --git a/data/generated/cheatsheets/sudoers.cheat b/data/generated/cheatsheets/sudoers.cheat new file mode 100644 index 0000000..ab7d567 --- /dev/null +++ b/data/generated/cheatsheets/sudoers.cheat @@ -0,0 +1,7 @@ +# sudoers +# Installed via: unknown (sudoers) + +% sudoers + +# Show help for sudoers +sudoers --help diff --git a/data/generated/cheatsheets/tcpdump.cheat b/data/generated/cheatsheets/tcpdump.cheat new file mode 100644 index 0000000..adf39cf --- /dev/null +++ b/data/generated/cheatsheets/tcpdump.cheat @@ -0,0 +1,12 @@ +# tcpdump +# Command-line packet capture tool +# Sections: 1 +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + +% packet-capture, cli, network + +# Basic usage +tcpdump -i eth0 -w capture.pcap + +# Recursive/follow references +tcpdump -r capture.pcap diff --git a/data/generated/cheatsheets/tcpflow.cheat b/data/generated/cheatsheets/tcpflow.cheat new file mode 100644 index 0000000..0d63a5e --- /dev/null +++ b/data/generated/cheatsheets/tcpflow.cheat @@ -0,0 +1,19 @@ +# tcpflow +# Extract and reassemble TCP streams from PCAP files into individual files +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + +% network, tcp, stream-extraction + +# Basic usage +tcpflow -r -o output/ + + +# --- Recipes (multi-tool chains) --- + +# >> Extract Files from Network Capture +# Carve files using signatures +tcpxtract -f -o carved/ +# Extract individual TCP streams +tcpflow -r -o streams/ +# Or use NetworkMiner for automated extraction +NetworkMiner --pcap diff --git a/data/generated/cheatsheets/tcpick.cheat b/data/generated/cheatsheets/tcpick.cheat new file mode 100644 index 0000000..944b3c0 --- /dev/null +++ b/data/generated/cheatsheets/tcpick.cheat @@ -0,0 +1,9 @@ +# tcpick +# Capture and analyze network traffic with this command-line sniffer. +# Category: Explore Network Interactions > Monitoring +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + +% tcpick + +# Show help for tcpick +tcpick --help diff --git a/data/generated/cheatsheets/tcpxtract.cheat b/data/generated/cheatsheets/tcpxtract.cheat new file mode 100644 index 0000000..922c8bd --- /dev/null +++ b/data/generated/cheatsheets/tcpxtract.cheat @@ -0,0 +1,19 @@ +# tcpxtract +# Carve files from network traffic using file signatures +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + +% network, file-carving, pcap + +# Basic usage +tcpxtract -f -o output/ + + +# --- Recipes (multi-tool chains) --- + +# >> Extract Files from Network Capture +# Carve files using signatures +tcpxtract -f -o carved/ +# Extract individual TCP streams +tcpflow -r -o streams/ +# Or use NetworkMiner for automated extraction +NetworkMiner --pcap diff --git a/data/generated/cheatsheets/tesseract-ocr.cheat b/data/generated/cheatsheets/tesseract-ocr.cheat new file mode 100644 index 0000000..befac17 --- /dev/null +++ b/data/generated/cheatsheets/tesseract-ocr.cheat @@ -0,0 +1,9 @@ +# tesseract-ocr +# Examine images to identify and extract text using optical character recognition (OCR). +# Category: Analyze Documents > General +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/general + +% tesseract-ocr + +# Show help for tesseract-ocr +tesseract-ocr --help diff --git a/data/generated/cheatsheets/texteditor.py.cheat b/data/generated/cheatsheets/texteditor.py.cheat new file mode 100644 index 0000000..5df5925 --- /dev/null +++ b/data/generated/cheatsheets/texteditor.py.cheat @@ -0,0 +1,9 @@ +# texteditor.py +# Edit text files from the command line using search-and-replace commands. +# Category: General Utilities +# Docs: https://docs.remnux.org/discover-the-tools/general+utilities + +% texteditor.py + +# Show help for texteditor.py +texteditor.py --help diff --git a/data/generated/cheatsheets/thefuzz.cheat b/data/generated/cheatsheets/thefuzz.cheat new file mode 100644 index 0000000..5dc2ce8 --- /dev/null +++ b/data/generated/cheatsheets/thefuzz.cheat @@ -0,0 +1,9 @@ +# thefuzz +# Fuzzy String Matching in Python. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% thefuzz + +# Show help for thefuzz +thefuzz --help diff --git a/data/generated/cheatsheets/thug.cheat b/data/generated/cheatsheets/thug.cheat new file mode 100644 index 0000000..48aa2e6 --- /dev/null +++ b/data/generated/cheatsheets/thug.cheat @@ -0,0 +1,9 @@ +# Thug +# Low-interaction honeyclient for analyzing malicious websites and drive-by downloads +# Sections: 3 +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + +% honeyclient, web-analysis, drive-by + +# Basic usage +thug -u win7chrome49 http://suspicious-site.com diff --git a/data/generated/cheatsheets/time-decode.cheat b/data/generated/cheatsheets/time-decode.cheat new file mode 100644 index 0000000..9d93dcc --- /dev/null +++ b/data/generated/cheatsheets/time-decode.cheat @@ -0,0 +1,9 @@ +# time-decode +# Decode and encode date and timestamps. +# Category: Gather and Analyze Data +# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + +% time-decode + +# Show help for time-decode +time-decode --help diff --git a/data/generated/cheatsheets/tor.cheat b/data/generated/cheatsheets/tor.cheat new file mode 100644 index 0000000..deedd2e --- /dev/null +++ b/data/generated/cheatsheets/tor.cheat @@ -0,0 +1,9 @@ +# tor +# Obfuscate your origins by routing traffic through a network of anonymizing nodes. +# Category: Explore Network Interactions > Connecting +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + +% tor + +# Show help for tor +tor --help diff --git a/data/generated/cheatsheets/torsocks.cheat b/data/generated/cheatsheets/torsocks.cheat new file mode 100644 index 0000000..b50b562 --- /dev/null +++ b/data/generated/cheatsheets/torsocks.cheat @@ -0,0 +1,8 @@ +# torsocks +# Route network traffic through the Tor anonymity network +# Sections: 1 + +% tor, anonymity, network-routing + +# Basic usage +torsocks curl http://example.onion diff --git a/data/generated/cheatsheets/translate.py.cheat b/data/generated/cheatsheets/translate.py.cheat new file mode 100644 index 0000000..f94e39b --- /dev/null +++ b/data/generated/cheatsheets/translate.py.cheat @@ -0,0 +1,31 @@ +# translate.py +# Transform data using Python expressions (XOR, ADD, etc.) +# FOR610 Labs: 3.4 | Sections: 3 | Author: Didier Stevens +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% xor, transformation, decoding, didier-stevens + +# Basic usage +translate.py "byte ^ 35" < input.bin > output.bin + + +# --- Recipes (multi-tool chains) --- + +# >> Decode Base64 + XOR Shellcode +# Find Base64 strings +base64dump.py -n 10 +# Decode Base64, then XOR with key +base64dump.py -s -d | translate.py 'byte ^ ' > shellcode.bin + +# >> Full Office Macro Decode Chain +# Step 1: List streams and extract VBA +oledump.py +oledump.py -s -v +# Step 2: Extract Base64 from data stream +oledump.py -s -d | base64dump.py -s 1 -d > stage1.ps1 +# Step 3: Decode second Base64 layer + decompress +base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1 +# Step 4: XOR decode the shellcode +base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin +# Step 5: Emulate the shellcode +scdbgc /f shellcode.bin /s -1 diff --git a/data/generated/cheatsheets/trid.cheat b/data/generated/cheatsheets/trid.cheat new file mode 100644 index 0000000..37d207f --- /dev/null +++ b/data/generated/cheatsheets/trid.cheat @@ -0,0 +1,9 @@ +# trid +# Identify file type by scanning binary signatures database +# FOR610 Labs: 3.3, 3.4 | Sections: 3 +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% file-identification, triage + +# Basic usage +trid document.doc diff --git a/data/generated/cheatsheets/tshark.cheat b/data/generated/cheatsheets/tshark.cheat new file mode 100644 index 0000000..b99b460 --- /dev/null +++ b/data/generated/cheatsheets/tshark.cheat @@ -0,0 +1,12 @@ +# tshark +# Command-line interface to Wireshark for packet capture and analysis +# Sections: 1 +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + +% packet-capture, cli, network + +# Basic usage +tshark -r capture.pcap + +# Case-insensitive search +tshark -i eth0 -w capture.pcap diff --git a/data/generated/cheatsheets/tzdata.cheat b/data/generated/cheatsheets/tzdata.cheat new file mode 100644 index 0000000..1bca039 --- /dev/null +++ b/data/generated/cheatsheets/tzdata.cheat @@ -0,0 +1,7 @@ +# tzdata +# Installed via: apt (tzdata) + +% tzdata + +# Show help for tzdata +tzdata --help diff --git a/data/generated/cheatsheets/ubuntu-universe.cheat b/data/generated/cheatsheets/ubuntu-universe.cheat new file mode 100644 index 0000000..047436d --- /dev/null +++ b/data/generated/cheatsheets/ubuntu-universe.cheat @@ -0,0 +1,7 @@ +# ubuntu-universe +# Installed via: unknown (ubuntu-universe) + +% ubuntu-universe + +# Show help for ubuntu-universe +ubuntu-universe --help diff --git a/data/generated/cheatsheets/ubuntu.cheat b/data/generated/cheatsheets/ubuntu.cheat new file mode 100644 index 0000000..e663413 --- /dev/null +++ b/data/generated/cheatsheets/ubuntu.cheat @@ -0,0 +1,7 @@ +# ubuntu +# Installed via: unknown (ubuntu) + +% ubuntu + +# Show help for ubuntu +ubuntu --help diff --git a/data/generated/cheatsheets/uncompyle6.cheat b/data/generated/cheatsheets/uncompyle6.cheat new file mode 100644 index 0000000..9319d7d --- /dev/null +++ b/data/generated/cheatsheets/uncompyle6.cheat @@ -0,0 +1,11 @@ +# uncompyle6 +# Decompile Python bytecode (.pyc) back to source — supports Python 1.0 through 3.8 +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/python + +% python, decompilation, bytecode + +# Basic usage +uncompyle6 + +# Output to file +uncompyle6 -o output/ diff --git a/data/generated/cheatsheets/unfurl.cheat b/data/generated/cheatsheets/unfurl.cheat new file mode 100644 index 0000000..98b5f87 --- /dev/null +++ b/data/generated/cheatsheets/unfurl.cheat @@ -0,0 +1,8 @@ +# Unfurl +# Deconstruct and decode URLs — reveal tracking parameters, encoded data, and redirect chains +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + +% url, decoding, phishing, tracking + +# Basic usage +unfurl parse diff --git a/data/generated/cheatsheets/unhide.cheat b/data/generated/cheatsheets/unhide.cheat new file mode 100644 index 0000000..be09cd1 --- /dev/null +++ b/data/generated/cheatsheets/unhide.cheat @@ -0,0 +1,9 @@ +# unhide +# Find hidden processes or connections on the local Linux system. +# Category: Investigate System Interactions +# Docs: https://docs.remnux.org/discover-the-tools/investigate+system+interactions + +% unhide + +# Show help for unhide +unhide --help diff --git a/data/generated/cheatsheets/unicode.cheat b/data/generated/cheatsheets/unicode.cheat new file mode 100644 index 0000000..518a73d --- /dev/null +++ b/data/generated/cheatsheets/unicode.cheat @@ -0,0 +1,9 @@ +# unicode +# Display Unicode character properties. +# Category: Examine Static Properties > Deobfuscation +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% unicode + +# Show help for unicode +unicode --help diff --git a/data/generated/cheatsheets/unxor.cheat b/data/generated/cheatsheets/unxor.cheat new file mode 100644 index 0000000..05dbe23 --- /dev/null +++ b/data/generated/cheatsheets/unxor.cheat @@ -0,0 +1,9 @@ +# unxor +# Deobfuscate XOR'ed files. +# Category: Examine Static Properties > Deobfuscation +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% unxor + +# Show help for unxor +unxor --help diff --git a/data/generated/cheatsheets/unzip.cheat b/data/generated/cheatsheets/unzip.cheat new file mode 100644 index 0000000..194bf89 --- /dev/null +++ b/data/generated/cheatsheets/unzip.cheat @@ -0,0 +1,9 @@ +# unzip +# Extract ZIP archives containing malware samples +# FOR610 Labs: 1.1, 3.1, 3.3, 3.4, 3.5, 3.6, 3.7, 4.1, 4.8, 5.2, 5.3, 5.4 | Sections: 1, 3, 4, 5 +# Docs: https://docs.remnux.org/discover-the-tools/general+utilities + +% archive, extraction + +# Basic usage +unzip -P infected sample.zip diff --git a/data/generated/cheatsheets/upx.cheat b/data/generated/cheatsheets/upx.cheat new file mode 100644 index 0000000..b2fe51a --- /dev/null +++ b/data/generated/cheatsheets/upx.cheat @@ -0,0 +1,12 @@ +# UPX +# Universal Packer for eXecutables — compress and decompress PE files +# FOR610 Labs: 4.2 | Sections: 4 +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking + +% packer, unpacker, compression + +# Basic usage +upx -d packed.exe + +# Dump/extract content +upx -d packed.exe -o unpacked.exe diff --git a/data/generated/cheatsheets/user.cheat b/data/generated/cheatsheets/user.cheat new file mode 100644 index 0000000..45243cc --- /dev/null +++ b/data/generated/cheatsheets/user.cheat @@ -0,0 +1,7 @@ +# user +# Installed via: unknown (user) + +% user + +# Show help for user +user --help diff --git a/data/generated/cheatsheets/vbindiff.cheat b/data/generated/cheatsheets/vbindiff.cheat new file mode 100644 index 0000000..816e70c --- /dev/null +++ b/data/generated/cheatsheets/vbindiff.cheat @@ -0,0 +1,9 @@ +# vbindiff +# Compare binary files. +# Category: View or Edit Files +# Docs: https://docs.remnux.org/discover-the-tools/view+or+edit+files + +% vbindiff + +# Show help for vbindiff +vbindiff --help diff --git a/data/generated/cheatsheets/vim.cheat b/data/generated/cheatsheets/vim.cheat new file mode 100644 index 0000000..4c2853a --- /dev/null +++ b/data/generated/cheatsheets/vim.cheat @@ -0,0 +1,7 @@ +# vim +# Installed via: apt (vim) + +% vim + +# Show help for vim +vim --help diff --git a/data/generated/cheatsheets/virustotal-search.cheat b/data/generated/cheatsheets/virustotal-search.cheat new file mode 100644 index 0000000..362e70f --- /dev/null +++ b/data/generated/cheatsheets/virustotal-search.cheat @@ -0,0 +1,9 @@ +# virustotal-search +# Search VirusTotal for file hashes. +# Category: Gather and Analyze Data +# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + +% virustotal-search + +# Show help for virustotal-search +virustotal-search --help diff --git a/data/generated/cheatsheets/virustotal-submit.cheat b/data/generated/cheatsheets/virustotal-submit.cheat new file mode 100644 index 0000000..3d15e4e --- /dev/null +++ b/data/generated/cheatsheets/virustotal-submit.cheat @@ -0,0 +1,9 @@ +# virustotal-submit +# Submit files to VirusTotal. +# Category: Gather and Analyze Data +# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + +% virustotal-submit + +# Show help for virustotal-submit +virustotal-submit --help diff --git a/data/generated/cheatsheets/visual-studio-code.cheat b/data/generated/cheatsheets/visual-studio-code.cheat new file mode 100644 index 0000000..f4d8b7a --- /dev/null +++ b/data/generated/cheatsheets/visual-studio-code.cheat @@ -0,0 +1,9 @@ +# Visual Studio Code +# Code editor used for viewing decompiled output, scripts, and analysis results +# FOR610 Labs: 1.3, 1.4, 1.5, 3.3, 3.6, 3.7, 4.5, 4.8, 5.2, 5.3 | Sections: 1, 3, 4, 5 +# Docs: https://docs.remnux.org/discover-the-tools/view+or+edit+files + +% editor, code-viewer + +# Basic usage +code filename.js diff --git a/data/generated/cheatsheets/vivisect.cheat b/data/generated/cheatsheets/vivisect.cheat new file mode 100644 index 0000000..17a7d5f --- /dev/null +++ b/data/generated/cheatsheets/vivisect.cheat @@ -0,0 +1,11 @@ +# Vivisect +# Binary analysis and emulation framework — static analysis with emulation capabilities +# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/general + +% emulation, static-analysis, binary-analysis + +# Basic usage +vivbin + +# Save output to file +python3 -c "import vivisect; vw = vivisect.VivWorkspace(); vw.loadFromFile('')" diff --git a/data/generated/cheatsheets/volatility3.cheat b/data/generated/cheatsheets/volatility3.cheat new file mode 100644 index 0000000..cb3c3e2 --- /dev/null +++ b/data/generated/cheatsheets/volatility3.cheat @@ -0,0 +1,39 @@ +# volatility3 +# Memory forensics framework — analyze RAM dumps to find malware, hidden processes, network connections, and injected code +# Docs: https://docs.remnux.org/discover-the-tools/perform+memory+forensics + +% memory, forensics, volatility, incident-response + +# Basic usage +vol3 -f windows.info + +# Process input file +vol3 -f windows.pslist + +# Process input file +vol3 -f windows.pstree + +# Process input file +vol3 -f windows.netscan + +# Process input file +vol3 -f windows.malfind + +# Process input file +vol3 -f windows.dlllist --pid + +# Process input file +vol3 -f windows.dumpfiles --pid + + +# --- Recipes (multi-tool chains) --- + +# >> Quick Memory Dump Triage +# Identify OS +vol3 -f windows.info +# Process tree (spot anomalies) +vol3 -f windows.pstree +# Network connections +vol3 -f windows.netscan +# Injected code detection +vol3 -f windows.malfind diff --git a/data/generated/cheatsheets/vscode.cheat b/data/generated/cheatsheets/vscode.cheat new file mode 100644 index 0000000..92eaba7 --- /dev/null +++ b/data/generated/cheatsheets/vscode.cheat @@ -0,0 +1,7 @@ +# vscode +# Installed via: unknown (vscode) + +% vscode + +# Show help for vscode +vscode --help diff --git a/data/generated/cheatsheets/wget.cheat b/data/generated/cheatsheets/wget.cheat new file mode 100644 index 0000000..ecfdd03 --- /dev/null +++ b/data/generated/cheatsheets/wget.cheat @@ -0,0 +1,8 @@ +# wget +# Download files from HTTP/HTTPS/FTP servers +# Sections: 1 + +% download, http + +# Basic usage +wget http://example.com/file.bin diff --git a/data/generated/cheatsheets/wine.cheat b/data/generated/cheatsheets/wine.cheat new file mode 100644 index 0000000..11433c1 --- /dev/null +++ b/data/generated/cheatsheets/wine.cheat @@ -0,0 +1,9 @@ +# Wine +# Windows compatibility layer — run Windows executables on Linux +# FOR610 Labs: 3.5 | Sections: 3 +# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general + +% windows-compat, execution + +# Basic usage +wine program.exe diff --git a/data/generated/cheatsheets/wireshark-dev.cheat b/data/generated/cheatsheets/wireshark-dev.cheat new file mode 100644 index 0000000..44c2c04 --- /dev/null +++ b/data/generated/cheatsheets/wireshark-dev.cheat @@ -0,0 +1,7 @@ +# wireshark-dev +# Installed via: unknown (wireshark-dev) + +% wireshark-dev + +# Show help for wireshark-dev +wireshark-dev --help diff --git a/data/generated/cheatsheets/wireshark.cheat b/data/generated/cheatsheets/wireshark.cheat new file mode 100644 index 0000000..fd47cd8 --- /dev/null +++ b/data/generated/cheatsheets/wireshark.cheat @@ -0,0 +1,12 @@ +# Wireshark +# GUI network protocol analyzer for capturing and inspecting packet-level traffic +# FOR610 Labs: 1.2, 1.3, 1.6, 1.7, 1.8, 5.1 | Sections: 1, 5 +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + +% packet-capture, protocol-analysis, network + +# Basic usage +wireshark + +# Recursive/follow references +wireshark -r capture.pcap diff --git a/data/generated/cheatsheets/wxhexeditor.cheat b/data/generated/cheatsheets/wxhexeditor.cheat new file mode 100644 index 0000000..0625459 --- /dev/null +++ b/data/generated/cheatsheets/wxhexeditor.cheat @@ -0,0 +1,9 @@ +# wxhexeditor +# Hex editor. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% wxhexeditor + +# Show help for wxhexeditor +wxhexeditor --help diff --git a/data/generated/cheatsheets/xdg-utils.cheat b/data/generated/cheatsheets/xdg-utils.cheat new file mode 100644 index 0000000..9950d18 --- /dev/null +++ b/data/generated/cheatsheets/xdg-utils.cheat @@ -0,0 +1,7 @@ +# xdg-utils +# Installed via: apt (xdg-utils) + +% xdg-utils + +# Show help for xdg-utils +xdg-utils --help diff --git a/data/generated/cheatsheets/xlmmacrodeobfuscator.cheat b/data/generated/cheatsheets/xlmmacrodeobfuscator.cheat new file mode 100644 index 0000000..f23a33d --- /dev/null +++ b/data/generated/cheatsheets/xlmmacrodeobfuscator.cheat @@ -0,0 +1,18 @@ +# XLMMacroDeobfuscator +# Deobfuscate Excel 4.0 (XLM) macros — these hide in hidden sheets and are hard to detect +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + +% office, excel, xlm, macro, deobfuscation + +# Basic usage +xlmdeobfuscator --file + +# Save output to file +xlmdeobfuscator --file --no-indent + + +# --- Recipes (multi-tool chains) --- + +# >> Deobfuscate Excel 4.0 (XLM) Macros +# Deobfuscate XLM macros +xlmdeobfuscator --file diff --git a/data/generated/cheatsheets/xmldump.py.cheat b/data/generated/cheatsheets/xmldump.py.cheat new file mode 100644 index 0000000..b471f77 --- /dev/null +++ b/data/generated/cheatsheets/xmldump.py.cheat @@ -0,0 +1,9 @@ +# xmldump.py +# Extract contents of XML files, in particular OOXML-formatted Microsoft Office documents. +# Category: Analyze Documents > Microsoft Office +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + +% xmldump.py + +# Show help for xmldump.py +xmldump.py --help diff --git a/data/generated/cheatsheets/xmlstarlet.cheat b/data/generated/cheatsheets/xmlstarlet.cheat new file mode 100644 index 0000000..b981205 --- /dev/null +++ b/data/generated/cheatsheets/xmlstarlet.cheat @@ -0,0 +1,7 @@ +# xmlstarlet +# Installed via: apt (xmlstarlet) + +% xmlstarlet + +# Show help for xmlstarlet +xmlstarlet --help diff --git a/data/generated/cheatsheets/xor-kpa.py.cheat b/data/generated/cheatsheets/xor-kpa.py.cheat new file mode 100644 index 0000000..fc59fba --- /dev/null +++ b/data/generated/cheatsheets/xor-kpa.py.cheat @@ -0,0 +1,9 @@ +# xor-kpa.py +# Implement a XOR known plaintext attack. +# Category: Examine Static Properties > Deobfuscation +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% xor-kpa.py + +# Show help for xor-kpa.py +xor-kpa.py --help diff --git a/data/generated/cheatsheets/xorbruteforcer.cheat b/data/generated/cheatsheets/xorbruteforcer.cheat new file mode 100644 index 0000000..72e0906 --- /dev/null +++ b/data/generated/cheatsheets/xorbruteforcer.cheat @@ -0,0 +1,9 @@ +# xorbruteforcer +# Bruteforce an XOR-encoded file. +# Category: Examine Static Properties > Deobfuscation +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% xorbruteforcer + +# Show help for xorbruteforcer +xorbruteforcer --help diff --git a/data/generated/cheatsheets/xorsearch.cheat b/data/generated/cheatsheets/xorsearch.cheat new file mode 100644 index 0000000..0845247 --- /dev/null +++ b/data/generated/cheatsheets/xorsearch.cheat @@ -0,0 +1,37 @@ +# XORSearch +# Search for XOR/ROL/ROT/SHIFT-encoded patterns including shellcode signatures +# FOR610 Labs: 3.5, 5.2 | Sections: 3, 5 | Author: Didier Stevens +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% xor, shellcode-detection, pattern-search, didier-stevens + +# Basic usage +XORSearch -W -d 3 file.bin + +# Select specific item +XORSearch -i -s specimen.exe http: + + +# --- Recipes (multi-tool chains) --- + +# >> Extract Shellcode from RTF Document +# Scan RTF structure — look for groups with lots of hex data +rtfdump.py +# Extract the hex-heavy group as binary +rtfdump.py -s -H -d > extracted.bin +# Scan for shellcode patterns (even XOR-encoded) +XORSearch -W -d 3 extracted.bin +# Emulate shellcode at found offset +scdbgc /f extracted.bin /foff /s -1 + +# >> Brute-Force XOR Key +# Quick check for XOR-encoded URLs/PE headers +XORSearch http: +# Brute-force single-byte XOR keys +brxor.py +# Try XOR, ROL, ADD combinations +bbcrack -l 1 +# Guess multi-byte XOR key length and value +xortool +# Decode with known key +xortool-xor -s '' -i -o diff --git a/data/generated/cheatsheets/xorstrings.cheat b/data/generated/cheatsheets/xorstrings.cheat new file mode 100644 index 0000000..4886596 --- /dev/null +++ b/data/generated/cheatsheets/xorstrings.cheat @@ -0,0 +1,9 @@ +# xorstrings +# Search for XOR encoded strings in a file. +# Category: Examine Static Properties > Deobfuscation +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% xorstrings + +# Show help for xorstrings +xorstrings --help diff --git a/data/generated/cheatsheets/xortool.cheat b/data/generated/cheatsheets/xortool.cheat new file mode 100644 index 0000000..65fd3fe --- /dev/null +++ b/data/generated/cheatsheets/xortool.cheat @@ -0,0 +1,26 @@ +# xortool +# Analyze XOR-encoded data — guess key length and probable key bytes +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + +% xor, deobfuscation, key-recovery + +# Basic usage +xortool + +# Select specific item +xortool-xor -s 'key' -i -o + + +# --- Recipes (multi-tool chains) --- + +# >> Brute-Force XOR Key +# Quick check for XOR-encoded URLs/PE headers +XORSearch http: +# Brute-force single-byte XOR keys +brxor.py +# Try XOR, ROL, ADD combinations +bbcrack -l 1 +# Guess multi-byte XOR key length and value +xortool +# Decode with known key +xortool-xor -s '' -i -o diff --git a/data/generated/cheatsheets/xterm.cheat b/data/generated/cheatsheets/xterm.cheat new file mode 100644 index 0000000..9dbe92a --- /dev/null +++ b/data/generated/cheatsheets/xterm.cheat @@ -0,0 +1,7 @@ +# xterm +# Installed via: apt (xterm) + +% xterm + +# Show help for xterm +xterm --help diff --git a/data/generated/cheatsheets/xxd.cheat b/data/generated/cheatsheets/xxd.cheat new file mode 100644 index 0000000..c1b854b --- /dev/null +++ b/data/generated/cheatsheets/xxd.cheat @@ -0,0 +1,11 @@ +# xxd +# Create hex dump of a file or reverse a hex dump back to binary +# Sections: 1 + +% hex, binary-conversion + +# Basic usage +xxd binary.exe + +# Recursive/follow references +xxd -r hexdump.txt > binary.exe diff --git a/data/generated/cheatsheets/yara-forge-rules.cheat b/data/generated/cheatsheets/yara-forge-rules.cheat new file mode 100644 index 0000000..89e1146 --- /dev/null +++ b/data/generated/cheatsheets/yara-forge-rules.cheat @@ -0,0 +1,9 @@ +# YARA-Forge Rules +# Scan files with curated YARA rules from 45+ sources for malware family identification. +# Category: Examine Static Properties > General +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% yara-forge-rules + +# Show help for YARA-Forge Rules +YARA-Forge Rules --help diff --git a/data/generated/cheatsheets/yara-x.cheat b/data/generated/cheatsheets/yara-x.cheat new file mode 100644 index 0000000..c46bc12 --- /dev/null +++ b/data/generated/cheatsheets/yara-x.cheat @@ -0,0 +1,9 @@ +# yara-x +# Scan files using YARA rules, the next generation of YARA written in Rust. +# Category: Gather and Analyze Data +# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + +% yara-x + +# Show help for yara-x +yara-x --help diff --git a/data/generated/cheatsheets/yara.cheat b/data/generated/cheatsheets/yara.cheat new file mode 100644 index 0000000..9d81bdb --- /dev/null +++ b/data/generated/cheatsheets/yara.cheat @@ -0,0 +1,21 @@ +# yara +# Pattern matching tool for identifying and classifying malware using custom rules +# FOR610 Labs: 3.4 | Sections: 3 +# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + +% pattern-matching, classification, rules + +# Basic usage +yara-rules specimen.bin + +# Alternative usage +yara rule.yar specimen.exe + + +# --- Recipes (multi-tool chains) --- + +# >> Parse Cobalt Strike Beacon Configuration +# Scan with YARA for CS signatures +yara-rules +# Extract beacon configuration +1768.py diff --git a/data/generated/cheatsheets/zbar-tools.cheat b/data/generated/cheatsheets/zbar-tools.cheat new file mode 100644 index 0000000..2b17101 --- /dev/null +++ b/data/generated/cheatsheets/zbar-tools.cheat @@ -0,0 +1,7 @@ +# zbar-tools +# Installed via: apt (zbar-tools) + +% zbar-tools + +# Show help for zbar-tools +zbar-tools --help diff --git a/data/generated/cheatsheets/zbarimg.cheat b/data/generated/cheatsheets/zbarimg.cheat new file mode 100644 index 0000000..47b6d77 --- /dev/null +++ b/data/generated/cheatsheets/zbarimg.cheat @@ -0,0 +1,9 @@ +# zbarimg +# Decode QR codes and barcodes from image files. +# Category: Explore Network Interactions > Connecting +# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + +% zbarimg + +# Show help for zbarimg +zbarimg --help diff --git a/data/generated/cheatsheets/zipdump.py.cheat b/data/generated/cheatsheets/zipdump.py.cheat new file mode 100644 index 0000000..96c3fd7 --- /dev/null +++ b/data/generated/cheatsheets/zipdump.py.cheat @@ -0,0 +1,9 @@ +# zipdump.py +# Parse and analyze ZIP archive structure +# Sections: 3 | Author: Didier Stevens +# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + +% zip, archive, didier-stevens + +# Basic usage +zipdump.py archive.zip diff --git a/data/generated/cheatsheets/zlib1g-dev.cheat b/data/generated/cheatsheets/zlib1g-dev.cheat new file mode 100644 index 0000000..3edce71 --- /dev/null +++ b/data/generated/cheatsheets/zlib1g-dev.cheat @@ -0,0 +1,7 @@ +# zlib1g-dev +# Installed via: apt (zlib1g-dev) + +% zlib1g-dev + +# Show help for zlib1g-dev +zlib1g-dev --help diff --git a/data/generated/coverage-report.md b/data/generated/coverage-report.md new file mode 100644 index 0000000..bd13aec --- /dev/null +++ b/data/generated/coverage-report.md @@ -0,0 +1,433 @@ +# Tool Coverage Report + +## Summary + +| Metric | Count | +|--------|-------| +| Total tools in master inventory | 447 | +| Tools in REMnux container | 397 | +| Rich help (FOR610 coverage) | 156 | +| Standard help (REMnux docs) | 118 | +| Basic help (salt-states only) | 173 | +| Stub (no documentation) | 0 | + +## Source Overlap + +| Combination | Count | +|-------------|-------| +| for610 only | 58 | +| remnux docs only | 51 | +| salt states only | 173 | +| all three | 65 | +| for610 and docs | 92 | +| for610 and salt | 71 | +| docs and salt | 132 | +| no coverage | 0 | + +## Priority: REMnux Tools Needing Help + +These 173 tools are installed in the container but have minimal or no documentation: + +- `7zip` [basic] +- `aeskeyfind` [basic] +- `android-project-creator` [basic] +- `apt-utils` [basic] +- `archive-zip` [basic] +- `autoconf` [basic] +- `autologin` [basic] +- `automake` [basic] +- `bash-history` [basic] +- `bash-rc` [basic] +- `bearparser` [basic] +- `binee` [basic] +- `binutils` [basic] +- `build-essential` [basic] +- `bundler` [basic] +- `burpsuite-community` [basic] +- `cffi` [basic] +- `clamav-daemon` [basic] +- `compatibility` [basic] +- `default-jdk` [basic] +- `default-jre` [basic] +- `dialog` [basic] +- `didier-stevens-scripts` [basic] +- `display` [basic] +- `distro-info` [basic] +- `dllcharacteristics` [basic] +- `dog` [basic] +- `dot-cache` [basic] +- `dot-config` [basic] +- `dot-cpan` [basic] +- `dot-dbus` [basic] +- `dot-local` [basic] +- `dotnet-runtime-3-1` [basic] +- `edb-debugger` [basic] +- `enchant` [basic] +- `epic5` [basic] +- `exfat-utils` [basic] +- `flare-floss` [basic] +- `flex` [basic] +- `galculator` [basic] +- `gdb` [basic] +- `gdm3` [basic] +- `gift` [basic] +- `git` [basic] +- `gnome-session` [basic] +- `gnome-shell-extensions` [basic] +- `gnome-terminal` [basic] +- `gnome-tweaks` [basic] +- `gnutls-bin` [basic] +- `graphviz` [basic] +- `grub-kvm` [basic] +- `guest-tools` [basic] +- `i386-architecture` [basic] +- `iproute2` [basic] +- `iputils-ping` [basic] +- `ipython3` [basic] +- `lame` [basic] +- `libboost-dev` [basic] +- `libboost-python-dev` [basic] +- `libboost-system-dev` [basic] +- `libdpkg-perl` [basic] +- `libemail-outlook-message-perl` [basic] +- `libffi-dev` [basic] +- `libfuse2` [basic] +- `libfuzzy-dev` [basic] +- `libfuzzy2` [basic] +- `libglib2` [basic] +- `libglu1-mesa-dev` [basic] +- `libgraphviz-dev` [basic] +- `libgtk-3-0` [basic] +- `libjavassist-java` [basic] +- `libjpeg-dev` [basic] +- `libjpeg8-dev` [basic] +- `liblzma-dev` [basic] +- `liblzo2-dev` [basic] +- `libmagic-dev` [basic] +- `libmysqlclient21` [basic] +- `libncurses` [basic] +- `libnetfilter-queue-dev` [basic] +- `libnfnetlink-dev` [basic] +- `libpq5` [basic] +- `libqt5scripttools5` [basic] +- `libre2` [basic] +- `libsm6` [basic] +- `libsqlite3-dev` [basic] +- `libssl-dev` [basic] +- `libtool` [basic] +- `libtre5` [basic] +- `libusb-1` [basic] +- `libxml2-dev` [basic] +- `libxslt1-dev` [basic] +- `linux-headers` [basic] +- `ltrace` [basic] +- `malcat` [basic] +- `manalyze` [basic] +- `mercurial` [basic] +- `microsoft` [basic] +- `microsoft-vscode` [basic] +- `mono` [basic] +- `mono-devel` [basic] +- `mono-utils` [basic] +- `mynic` [basic] +- `nano` [basic] +- `ndg-httpsclient` [basic] +- `net-tools` [basic] +- `nodejs` [basic] +- `openjdk` [basic] +- `openssl` [basic] +- `osarch` [basic] +- `pe-tree` [basic] +- `pedump` [basic] +- `perl` [basic] +- `pev` [basic] +- `pgadmin` [basic] +- `pip` [basic] +- `pkg-config` [basic] +- `portex` [basic] +- `prefer-ipv4` [basic] +- `procyon-decompiler` [basic] +- `protobuf` [basic] +- `pycdc` [basic] +- `pyelftools` [basic] +- `python-debian` [basic] +- `python3` [basic] +- `python3-cryptography` [basic] +- `python3-dev` [basic] +- `python3-dnspython` [basic] +- `python3-magic` [basic] +- `python3-netifaces` [basic] +- `python3-numpy` [basic] +- `python3-pil` [basic] +- `python3-pip` [basic] +- `python3-pyasn1` [basic] +- `python3-pyqt5` [basic] +- `python3-requests` [basic] +- `python3-setuptools` [basic] +- `python3-ssdeep` [basic] +- `python3-tk` [basic] +- `python3-venv` [basic] +- `python3-virtualenv` [basic] +- `python3-wheel` [basic] +- `qtbase5-dev` [basic] +- `refresh` [basic] +- `remnux` [basic] +- `remove-app-icons` [basic] +- `rhino` [basic] +- `rsakeyfind` [basic] +- `ruby` [basic] +- `ruby-dev` [basic] +- `salt-minion` [basic] +- `sharutils` [basic] +- `sift` [basic] +- `sleuthkit` [basic] +- `snap` [basic] +- `snapd` [basic] +- `software-properties-common` [basic] +- `ssh` [basic] +- `strace` [basic] +- `subversion` [basic] +- `sudo` [basic] +- `sudoers` [basic] +- `tzdata` [basic] +- `ubuntu` [basic] +- `ubuntu-universe` [basic] +- `user` [basic] +- `vim` [basic] +- `vscode` [basic] +- `wireshark-dev` [basic] +- `xdg-utils` [basic] +- `xmlstarlet` [basic] +- `xterm` [basic] +- `zbar-tools` [basic] +- `zlib1g-dev` [basic] + +## Rich Help Tools (106 tools with FOR610 coverage) + +- `1768.py` (Labs: 3.4) +- `Bytehist` +- `ClamAV` +- `Cutter` +- `CyberChef` (Labs: 1.5, 3.8, 3.12) +- `FLOSS` (Labs: 5.2, 5.3) +- `Frida` +- `Ghidra` (Labs: 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 4.9, 5.2, 5.4, 5.5, 5.6, 5.7, 5.9) +- `ILSpy` (Labs: 3.12, 4.8) +- `INetSim` (Labs: 1.7) +- `Malchive` +- `ProcDOT` (Labs: 1.2, 4.5) +- `SpiderMonkey` (Labs: 3.6, 3.7, 4.5) +- `Thug` +- `UPX` (Labs: 4.2) +- `Unfurl` +- `Visual Studio Code` (Labs: 1.3, 1.4, 1.5, 3.3, 3.6, 3.7, 4.5, 4.8, 5.2, 5.3) +- `Vivisect` +- `Wine` (Labs: 3.5) +- `Wireshark` (Labs: 1.2, 1.3, 1.6, 1.7, 1.8, 5.1) +- `XLMMacroDeobfuscator` +- `XORSearch` (Labs: 3.5, 5.2) +- `androguard` +- `apktool` +- `base64dump.py` (Labs: 3.4, 4.5) +- `bbcrack` (Labs: 5.2) +- `binwalk` +- `box-js` +- `brxor.py` (Labs: 5.2) +- `capa` (Labs: 1.4, 5.4) +- `cfr` +- `cs-analyze-processdump.py` +- `cs-decrypt-metadata.py` +- `cs-extract-key.py` +- `cs-parse-traffic.py` +- `curl` +- `dc3-mwcp` +- `de4dot` (Labs: 4.8) +- `diec` (Labs: 4.1) +- `emldump.py` +- `evilclippy` +- `exiftool` +- `fakedns` (Labs: 1.3, 1.6, 1.7, 1.8) +- `fakenet-ng` +- `feh` (Labs: 3.1) +- `file` (Labs: 3.4, 3.5) +- `gunzip` (Labs: 3.4) +- `hexdump` +- `httpd` (Labs: 1.3, 1.6, 1.8) +- `ilspycmd` (Labs: 4.8) +- `ioc-parser` +- `iptables` (Labs: 1.8) +- `jadx` +- `jd-gui` +- `jq` (Labs: 1.4) +- `js-beautify` (Labs: 3.6, 4.5) +- `mail-parser` +- `malwoverview` +- `mitmproxy` +- `msg-extractor` +- `msoffcrypto-tool` +- `nc` +- `networkminer` +- `ngrep` +- `nslookup` (Labs: 1.3) +- `numbers-to-string.py` (Labs: 3.3) +- `oledump.py` (Labs: 3.3, 3.4, 4.5) +- `olevba` +- `pcode2code` +- `pdf-parser.py` (Labs: 3.1) +- `pdfid.py` (Labs: 3.1) +- `pdfresurrect` +- `pdftk` +- `pdftool.py` +- `peepdf` +- `peframe` (Labs: 1.1, 4.8) +- `pestr` (Labs: 1.1, 4.8) +- `polarproxy` +- `pyinstxtractor-ng` +- `qiling` +- `qpdf` +- `radare2` +- `rar` (Labs: 3.5) +- `rtfdump.py` (Labs: 3.5) +- `runsc32` (Labs: 3.5, 4.6) +- `scdbgc` (Labs: 3.4, 3.5, 4.6) +- `shcode2exe` +- `speakeasy` (Labs: 1.4) +- `ssdeep` +- `strdeob.pl` (Labs: 5.2) +- `strings` (Labs: 3.4, 5.2) +- `tcpdump` +- `tcpflow` +- `tcpxtract` +- `torsocks` +- `translate.py` (Labs: 3.4) +- `trid` (Labs: 3.3, 3.4) +- `tshark` +- `uncompyle6` +- `unzip` (Labs: 1.1, 3.1, 3.3, 3.4, 3.5, 3.6, 3.7, 4.1, 4.8, 5.2, 5.3, 5.4) +- `volatility3` +- `wget` +- `xortool` +- `xxd` +- `yara` (Labs: 3.4) +- `zipdump.py` + +## Standard Help Tools (118 tools with REMnux docs only) + +- `7-Zip` — Examine Static Properties > General +- `AESKeyFinder` — Perform Memory Forensics +- `AndroidProjectCreator` — Statically Analyze Code > Android +- `Burp Suite Community Edition` — Explore Network Interactions > Monitoring +- `Cobalt Strike Configuration Extractor (CSCE) and Parser` — Examine Static Properties > Deobfuscation +- `Decompyle++` — Statically Analyze Code > Python +- `EPIC IRC Client` — Explore Network Interactions > Connecting +- `GNOME Calculator` — General Utilities +- `GNU Wget` — Explore Network Interactions > Connecting +- `GhidrAssistMCP` — Use Artificial Intelligence +- `Hachoir` — Examine Static Properties > General +- `Hash ID` — Examine Static Properties > General +- `JD-GUI Java Decompiler` — Statically Analyze Code > Java +- `Javassist` — Statically Analyze Code > Java +- `Malcat Lite` — Examine Static Properties > General +- `Network Miner Free Edition` — Explore Network Interactions > Monitoring +- `Procyon` — Statically Analyze Code > Java +- `REMnux Installer` — General Utilities +- `RSAKeyFinder` — Perform Memory Forensics +- `SQLite` — General Utilities +- `Sleuth Kit` — Examine Static Properties > General +- `YARA-Forge Rules` — Examine Static Properties > General +- `anomy` — Explore Network Interactions > Connecting +- `apkid` — Statically Analyze Code > Android +- `autoit-ripper` — Statically Analyze Code > Scripts +- `baksmali` — Statically Analyze Code > Android +- `balbuzard` — Examine Static Properties > Deobfuscation +- `binee (Binary Emulation Environment)` — Statically Analyze Code > PE Files +- `bulk-extractor` — Examine Static Properties > General +- `cabextract` — General Utilities +- `cast` — General Utilities +- `chepy` — Examine Static Properties > Deobfuscation +- `cut-bytes.py` — Examine Static Properties > Deobfuscation +- `decode-vbe.py` — Statically Analyze Code > Scripts +- `dex2jar` — Statically Analyze Code > Android +- `dexray` — Gather and Analyze Data +- `disitool` — Examine Static Properties > General +- `dissect` — Gather and Analyze Data +- `dnfile` — Examine Static Properties > .NET +- `dnslib` — Gather and Analyze Data +- `dnsresolver.py` — Explore Network Interactions > Services +- `docker` — General Utilities +- `dos2unix` — View or Edit Files +- `dotnetfile` — Examine Static Properties > .NET +- `droidlysis` — Examine Static Properties > General +- `evince` — View or Edit Files +- `ex-pe-xor` — Examine Static Properties > Deobfuscation +- `fakemail` — Explore Network Interactions > Services +- `file-magic.py` — Examine Static Properties > General +- `firefox` — General Utilities +- `format-bytes.py` — Examine Static Properties > Deobfuscation +- `goresym` — Examine Static Properties > Go +- `hex-to-bin.py` — Examine Static Properties > Deobfuscation +- `ibus` — General Utilities +- `imagemagick` — View or Edit Files +- `inspircd` — Explore Network Interactions > Services +- `ipwhois` — Gather and Analyze Data +- `java-idx-parser` — Statically Analyze Code > Java +- `jstillery` — Dynamically Reverse-Engineer Code > Scripts +- `libemu` — Dynamically Reverse-Engineer Code > Shellcode +- `libolecf` — Analyze Documents > Microsoft Office +- `lief` — Examine Static Properties > General +- `magika` — Examine Static Properties > General +- `mbcscan` — Statically Analyze Code > PE Files +- `monodis` — Examine Static Properties > .NET +- `msgconvert` — Analyze Documents > Email Messages +- `msitools` — Examine Static Properties > General +- `msoffcrypto-crack.py` — Analyze Documents > Microsoft Office +- `msoffice-crypt` — Analyze Documents > Microsoft Office +- `myip` — General Utilities +- `myjson-filter.py` — General Utilities +- `name-that-hash` — Examine Static Properties > General +- `nasm` — General Utilities +- `nautilus` — General Utilities +- `nginx` — Explore Network Interactions > Services +- `nomorexor` — Examine Static Properties > Deobfuscation +- `nsrllookup` — Gather and Analyze Data +- `objdump` — Statically Analyze Code > General +- `objects.js` — Dynamically Reverse-Engineer Code > Scripts +- `olefile` — Analyze Documents > Microsoft Office +- `onedump.py` — Analyze Documents > Microsoft Office +- `opencode` — Use Artificial Intelligence +- `openssh` — General Utilities +- `origamindee` — Analyze Documents > PDF +- `pcodedmp` — Analyze Documents > Microsoft Office +- `pdnstool` — Gather and Analyze Data +- `powershell` — Dynamically Reverse-Engineer Code > Scripts +- `pyinstaller-extractor` — Statically Analyze Code > Python +- `re-search.py` — Examine Static Properties > General +- `redress` — Examine Static Properties > Go +- `remnux-mcp-server` — Use Artificial Intelligence +- `sandfly-processdecloak` — Investigate System Interactions +- `scalpel` — Gather and Analyze Data +- `scite` — View or Edit Files +- `sets.py` — Examine Static Properties > Deobfuscation +- `shellcode2exe-bat` — Dynamically Reverse-Engineer Code > Shellcode +- `signsrch` — Examine Static Properties > General +- `sortcanon.py` — General Utilities +- `ssview` — Analyze Documents > Microsoft Office +- `tcpick` — Explore Network Interactions > Monitoring +- `tesseract-ocr` — Analyze Documents > General +- `texteditor.py` — General Utilities +- `thefuzz` — Examine Static Properties > General +- `time-decode` — Gather and Analyze Data +- `tor` — Explore Network Interactions > Connecting +- `unhide` — Investigate System Interactions +- `unicode` — Examine Static Properties > Deobfuscation +- `unxor` — Examine Static Properties > Deobfuscation +- `vbindiff` — View or Edit Files +- `virustotal-search` — Gather and Analyze Data +- `virustotal-submit` — Gather and Analyze Data +- `wxhexeditor` — Examine Static Properties > General +- `xmldump.py` — Analyze Documents > Microsoft Office +- `xor-kpa.py` — Examine Static Properties > Deobfuscation +- `xorbruteforcer` — Examine Static Properties > Deobfuscation +- `xorstrings` — Examine Static Properties > Deobfuscation +- `yara-x` — Gather and Analyze Data +- `zbarimg` — Explore Network Interactions > Connecting diff --git a/data/generated/labs.json b/data/generated/labs.json new file mode 100644 index 0000000..a00c4cd --- /dev/null +++ b/data/generated/labs.json @@ -0,0 +1,1972 @@ +{ + "labs": [ + { + "id": "1.1", + "section": 1, + "title": "Static Properties Analysis of brbbot.exe", + "sample": "brbbot.exe", + "analysis_type": "static-properties", + "tools_used": [ + { + "tool_id": "unzip", + "platform": "linux", + "purpose": "Extract malware sample from archive" + }, + { + "tool_id": "pestr", + "platform": "linux", + "purpose": "Extract ASCII and Unicode strings" + }, + { + "tool_id": "pestudio", + "platform": "windows", + "purpose": "Examine PE properties, imports, sections, and anomalies" + }, + { + "tool_id": "peframe", + "platform": "linux", + "purpose": "Examine static properties and detect anomalies" + } + ], + "key_techniques": [ + "string-extraction", + "pe-header-analysis", + "anomaly-detection", + "import-analysis" + ], + "tags": [ + "static-analysis", + "pe", + "strings", + "triage" + ] + }, + { + "id": "1.2", + "section": 1, + "title": "Initial Behavioral Analysis of brbbot.exe", + "sample": "brbbot.exe", + "analysis_type": "behavioral", + "tools_used": [ + { + "tool_id": "system-informer", + "platform": "windows", + "purpose": "Monitor running processes and network connections" + }, + { + "tool_id": "process-monitor", + "platform": "windows", + "purpose": "Capture file system, registry, and process activity" + }, + { + "tool_id": "regshot", + "platform": "windows", + "purpose": "Take registry/filesystem snapshot before infection" + }, + { + "tool_id": "wireshark", + "platform": "linux", + "purpose": "Capture network traffic from malware" + }, + { + "tool_id": "regshot", + "platform": "windows", + "purpose": "Compare registry/filesystem snapshot after infection" + }, + { + "tool_id": "procdot", + "platform": "windows", + "purpose": "Visualize Process Monitor logs for analysis" + } + ], + "key_techniques": [ + "process-monitoring", + "registry-monitoring", + "network-capture", + "behavioral-visualization" + ], + "prerequisite_labs": [ + "1.1" + ], + "tags": [ + "behavioral", + "monitoring", + "registry", + "network" + ] + }, + { + "id": "1.3", + "section": 1, + "title": "Intercepting brbbot.exe's Network Traffic", + "sample": "brbbot.exe", + "analysis_type": "network-interception", + "tools_used": [ + { + "tool_id": "fakedns", + "platform": "linux", + "purpose": "Spoof DNS to redirect malware traffic to REMnux" + }, + { + "tool_id": "nslookup", + "platform": "windows", + "purpose": "Verify DNS spoofing is working" + }, + { + "tool_id": "wireshark", + "platform": "linux", + "purpose": "Capture redirected network traffic" + }, + { + "tool_id": "httpd", + "platform": "linux", + "purpose": "Simulate C2 web server" + }, + { + "tool_id": "visual-studio-code", + "platform": "linux", + "purpose": "Edit web server response files" + } + ], + "key_techniques": [ + "dns-spoofing", + "traffic-interception", + "c2-analysis", + "http-payload-examination" + ], + "prerequisite_labs": [ + "1.2" + ], + "tags": [ + "network", + "dns", + "c2", + "interception" + ] + }, + { + "id": "1.4", + "section": 1, + "title": "Emulating the Execution of brbbot.exe", + "sample": "brbbot.exe", + "analysis_type": "emulation", + "tools_used": [ + { + "tool_id": "speakeasy", + "platform": "linux", + "purpose": "Emulate Windows API calls without native execution" + }, + { + "tool_id": "visual-studio-code", + "platform": "linux", + "purpose": "Examine emulation output" + }, + { + "tool_id": "jq", + "platform": "linux", + "purpose": "Extract API names from JSON report" + }, + { + "tool_id": "capa", + "platform": "linux", + "purpose": "Identify malware capabilities with MITRE ATT&CK mapping" + } + ], + "key_techniques": [ + "api-emulation", + "capability-detection", + "json-analysis" + ], + "prerequisite_labs": [ + "1.1" + ], + "tags": [ + "emulation", + "api-analysis", + "capa", + "speakeasy" + ] + }, + { + "id": "1.5", + "section": 1, + "title": "Decrypting brbbot.exe's Configuration File", + "sample": "brbbot.exe", + "analysis_type": "debugging", + "tools_used": [ + { + "tool_id": "x64dbg", + "platform": "windows", + "purpose": "Debug malware, set breakpoints on ReadFile and CryptDecrypt APIs" + }, + { + "tool_id": "pestudio", + "platform": "windows", + "purpose": "Examine imports to identify encryption APIs" + }, + { + "tool_id": "cyberchef", + "platform": "linux", + "purpose": "Decode XOR-encrypted exfiltrated payload" + } + ], + "key_techniques": [ + "api-breakpoints", + "configuration-decryption", + "xor-decoding", + "handle-inspection" + ], + "prerequisite_labs": [ + "1.1", + "1.3" + ], + "tags": [ + "debugging", + "decryption", + "xor", + "c2-config" + ] + }, + { + "id": "1.6", + "section": 1, + "title": "Experimenting with C2 Functionality in brbbot.exe", + "sample": "brbbot.exe", + "analysis_type": "behavioral", + "tools_used": [ + { + "tool_id": "httpd", + "platform": "linux", + "purpose": "Serve C2 commands via ads.php" + }, + { + "tool_id": "wireshark", + "platform": "linux", + "purpose": "Observe C2 request/response traffic" + }, + { + "tool_id": "system-informer", + "platform": "windows", + "purpose": "Monitor process spawning from C2 commands" + } + ], + "key_techniques": [ + "c2-command-testing", + "beaconing-analysis", + "command-execution-monitoring" + ], + "prerequisite_labs": [ + "1.3", + "1.5" + ], + "tags": [ + "c2", + "behavioral", + "command-control" + ] + }, + { + "id": "1.7", + "section": 1, + "title": "Intercepting HTTPS Connections Initiated by ghyte.exe", + "sample": "ghyte.exe", + "analysis_type": "network-interception", + "tools_used": [ + { + "tool_id": "wireshark", + "platform": "linux", + "purpose": "Capture initial network traffic" + }, + { + "tool_id": "fakedns", + "platform": "linux", + "purpose": "Redirect DNS for HTTPS interception" + }, + { + "tool_id": "system-informer", + "platform": "windows", + "purpose": "Monitor malware process" + }, + { + "tool_id": "inetsim", + "platform": "linux", + "purpose": "Emulate HTTPS and other internet services" + } + ], + "key_techniques": [ + "https-interception", + "service-emulation", + "tls-analysis" + ], + "prerequisite_labs": [ + "1.1" + ], + "tags": [ + "network", + "https", + "inetsim", + "interception" + ] + }, + { + "id": "1.8", + "section": 1, + "title": "Intercepting IP Address-Based Traffic Using iptables", + "sample": "getdown.exe", + "analysis_type": "network-interception", + "tools_used": [ + { + "tool_id": "wireshark", + "platform": "linux", + "purpose": "Capture network traffic" + }, + { + "tool_id": "system-informer", + "platform": "windows", + "purpose": "Monitor malware process" + }, + { + "tool_id": "httpd", + "platform": "linux", + "purpose": "Serve responses to redirected traffic" + }, + { + "tool_id": "iptables", + "platform": "linux", + "purpose": "Redirect IP-based traffic via NAT rules" + } + ], + "key_techniques": [ + "iptables-redirection", + "ip-based-interception", + "nat-rules" + ], + "prerequisite_labs": [ + "1.3" + ], + "tags": [ + "network", + "iptables", + "traffic-redirection" + ] + }, + { + "id": "2.1", + "section": 2, + "title": "Intro to Assembly and Ghidra", + "sample": "svchost.exe", + "analysis_type": "code-analysis", + "tools_used": [ + { + "tool_id": "ghidra", + "platform": "windows", + "purpose": "Disassemble and decompile \u2014 navigate function graphs, symbol trees, imports" + } + ], + "key_techniques": [ + "ghidra-navigation", + "function-graph", + "import-analysis", + "cross-references", + "equate-constants", + "commenting" + ], + "tags": [ + "assembly", + "ghidra", + "code-analysis", + "fundamentals" + ] + }, + { + "id": "2.2", + "section": 2, + "title": "HTTP C2 Analysis", + "sample": "svchost.exe", + "analysis_type": "code-analysis", + "tools_used": [ + { + "tool_id": "ghidra", + "platform": "windows", + "purpose": "Analyze HTTP C2 code patterns and API usage" + } + ], + "key_techniques": [ + "http-api-identification", + "data-type-archives", + "parameter-analysis", + "function-renaming" + ], + "prerequisite_labs": [ + "2.1" + ], + "tags": [ + "c2", + "http", + "api-patterns", + "ghidra" + ] + }, + { + "id": "2.3", + "section": 2, + "title": "Function Components, Part 1", + "sample": "svchost.exe", + "analysis_type": "code-analysis", + "tools_used": [ + { + "tool_id": "ghidra", + "platform": "windows", + "purpose": "Analyze function prologue, epilogue, stack frames, and local variables" + } + ], + "key_techniques": [ + "function-prologue", + "function-epilogue", + "stack-frame", + "local-variables" + ], + "prerequisite_labs": [ + "2.1" + ], + "tags": [ + "assembly", + "functions", + "stack", + "ghidra" + ] + }, + { + "id": "2.4", + "section": 2, + "title": "Function Components, Part 2", + "sample": "svchost.exe", + "analysis_type": "code-analysis", + "tools_used": [ + { + "tool_id": "ghidra", + "platform": "windows", + "purpose": "Analyze function parameters, calling conventions, and return values" + } + ], + "key_techniques": [ + "calling-conventions", + "parameter-passing", + "return-values" + ], + "prerequisite_labs": [ + "2.3" + ], + "tags": [ + "assembly", + "functions", + "calling-conventions", + "ghidra" + ] + }, + { + "id": "2.5", + "section": 2, + "title": "Loop Components", + "sample": "svchost.exe", + "analysis_type": "code-analysis", + "tools_used": [ + { + "tool_id": "ghidra", + "platform": "windows", + "purpose": "Identify loops using string references and control flow analysis" + } + ], + "key_techniques": [ + "string-references", + "loop-identification", + "control-flow" + ], + "prerequisite_labs": [ + "2.1" + ], + "tags": [ + "assembly", + "loops", + "control-flow", + "ghidra" + ] + }, + { + "id": "2.6", + "section": 2, + "title": "Compound Expressions", + "sample": "svchost.exe", + "analysis_type": "code-analysis", + "tools_used": [ + { + "tool_id": "ghidra", + "platform": "windows", + "purpose": "Analyze complex conditional logic and nested decisions" + } + ], + "key_techniques": [ + "compound-conditions", + "nested-logic", + "decompiler-interpretation" + ], + "prerequisite_labs": [ + "2.1" + ], + "tags": [ + "assembly", + "conditionals", + "ghidra" + ] + }, + { + "id": "2.7", + "section": 2, + "title": "Dropper Analysis", + "sample": "ishelp.dll", + "analysis_type": "code-analysis", + "tools_used": [ + { + "tool_id": "pestudio", + "platform": "windows", + "purpose": "Confirm DLL type and examine exports" + }, + { + "tool_id": "ghidra", + "platform": "windows", + "purpose": "Analyze resource extraction and file dropping code" + } + ], + "key_techniques": [ + "dll-analysis", + "exported-functions", + "resource-extraction", + "file-dropping" + ], + "prerequisite_labs": [ + "2.1" + ], + "tags": [ + "dropper", + "dll", + "resources", + "ghidra" + ] + }, + { + "id": "2.8", + "section": 2, + "title": "Intro to 64-bit Code Analysis", + "sample": "64-bit specimen", + "analysis_type": "code-analysis", + "tools_used": [ + { + "tool_id": "ghidra", + "platform": "windows", + "purpose": "Analyze 64-bit calling conventions and register usage" + } + ], + "key_techniques": [ + "x64-calling-convention", + "register-usage", + "schtasks-persistence" + ], + "prerequisite_labs": [ + "2.1" + ], + "tags": [ + "64-bit", + "assembly", + "x64", + "ghidra" + ] + }, + { + "id": "3.1", + "section": 3, + "title": "Examining steel1.pdf with pdf-parser.py", + "sample": "steel1.pdf", + "analysis_type": "pdf-analysis", + "tools_used": [ + { + "tool_id": "unzip", + "platform": "linux", + "purpose": "Extract sample from archive" + }, + { + "tool_id": "pdfid-py", + "platform": "linux", + "purpose": "Scan for suspicious PDF keywords (/URI, /JavaScript, /OpenAction)" + }, + { + "tool_id": "pdf-parser-py", + "platform": "linux", + "purpose": "Parse PDF objects, extract URLs, and dump embedded images" + }, + { + "tool_id": "feh", + "platform": "linux", + "purpose": "View extracted image from PDF object" + } + ], + "key_techniques": [ + "pdf-keyword-scanning", + "object-extraction", + "url-extraction", + "embedded-image-analysis" + ], + "tags": [ + "pdf", + "phishing", + "static-analysis" + ] + }, + { + "id": "3.2", + "section": 3, + "title": "Investigating the 'crophysi' Website with Fiddler", + "sample": "crophysi website", + "analysis_type": "web-analysis", + "tools_used": [ + { + "tool_id": "fiddler", + "platform": "windows", + "purpose": "Load and analyze captured HTTP/HTTPS traffic" + } + ], + "key_techniques": [ + "redirection-chain-analysis", + "http-request-inspection", + "payload-extraction" + ], + "tags": [ + "web", + "http", + "fiddler", + "traffic-analysis" + ] + }, + { + "id": "3.3", + "section": 3, + "title": "Analyzing mydoc.docm with oledump.py", + "sample": "mydoc.docm", + "analysis_type": "document-analysis", + "tools_used": [ + { + "tool_id": "unzip", + "platform": "linux", + "purpose": "Extract sample from archive" + }, + { + "tool_id": "trid", + "platform": "linux", + "purpose": "Identify file format (OOXML)" + }, + { + "tool_id": "oledump-py", + "platform": "linux", + "purpose": "List OLE streams and extract VBA macros" + }, + { + "tool_id": "numbers-to-string-py", + "platform": "linux", + "purpose": "Convert decimal sequences to readable strings" + }, + { + "tool_id": "visual-studio-code", + "platform": "linux", + "purpose": "View extracted macro code" + } + ], + "key_techniques": [ + "file-format-identification", + "ole-stream-analysis", + "vba-macro-extraction", + "string-decoding" + ], + "tags": [ + "office", + "vba", + "macro", + "oledump" + ] + }, + { + "id": "3.4", + "section": 3, + "title": "Analyzing PowerShell and Shellcode Artifacts in checkbox.doc", + "sample": "checkbox.doc", + "analysis_type": "document-analysis", + "tools_used": [ + { + "tool_id": "unzip", + "platform": "linux", + "purpose": "Extract sample" + }, + { + "tool_id": "file", + "platform": "linux", + "purpose": "Identify file type" + }, + { + "tool_id": "trid", + "platform": "linux", + "purpose": "Confirm OLE2 format" + }, + { + "tool_id": "oledump-py", + "platform": "linux", + "purpose": "Extract OLE streams and identify macro streams" + }, + { + "tool_id": "base64dump-py", + "platform": "linux", + "purpose": "Decode Base64-encoded PowerShell from UserForm" + }, + { + "tool_id": "gunzip", + "platform": "linux", + "purpose": "Decompress gzipped payload" + }, + { + "tool_id": "translate-py", + "platform": "linux", + "purpose": "XOR decode shellcode (byte ^ 35)" + }, + { + "tool_id": "strings", + "platform": "linux", + "purpose": "Extract strings from decoded shellcode" + }, + { + "tool_id": "scdbgc", + "platform": "linux", + "purpose": "Emulate shellcode to identify behavior" + }, + { + "tool_id": "yara", + "platform": "linux", + "purpose": "Scan for known malware patterns" + }, + { + "tool_id": "1768-py", + "platform": "linux", + "purpose": "Parse Cobalt Strike beacon configuration" + } + ], + "key_techniques": [ + "multi-stage-decoding", + "base64-gunzip-xor-chain", + "shellcode-emulation", + "cobalt-strike-identification" + ], + "prerequisite_labs": [ + "3.3" + ], + "tags": [ + "office", + "powershell", + "shellcode", + "cobalt-strike", + "multi-stage" + ] + }, + { + "id": "3.5", + "section": 3, + "title": "Examining qa.doc With rtfdump.py, scdbgc, and runsc", + "sample": "qa.doc", + "analysis_type": "document-analysis", + "tools_used": [ + { + "tool_id": "unzip", + "platform": "linux", + "purpose": "Extract sample" + }, + { + "tool_id": "file", + "platform": "linux", + "purpose": "Identify RTF format" + }, + { + "tool_id": "rtfdump-py", + "platform": "linux", + "purpose": "Parse RTF structure, locate hex-encoded embedded objects" + }, + { + "tool_id": "xorsearch", + "platform": "linux", + "purpose": "Detect shellcode patterns in extracted binary" + }, + { + "tool_id": "scdbgc", + "platform": "linux", + "purpose": "Emulate extracted shellcode" + }, + { + "tool_id": "runsc32", + "platform": "windows", + "purpose": "Execute shellcode for dynamic analysis" + }, + { + "tool_id": "x32dbg", + "platform": "windows", + "purpose": "Debug shellcode execution" + }, + { + "tool_id": "rar", + "platform": "linux", + "purpose": "Extract self-extracting RAR payloads" + } + ], + "key_techniques": [ + "rtf-structure-analysis", + "shellcode-detection", + "shellcode-emulation", + "self-extracting-archive-analysis" + ], + "prerequisite_labs": [ + "3.4" + ], + "tags": [ + "rtf", + "shellcode", + "exploitation", + "rar" + ] + }, + { + "id": "3.6", + "section": 3, + "title": "Deobfuscating loveyou.js with SpiderMonkey", + "sample": "loveyou.js", + "analysis_type": "javascript-deobfuscation", + "tools_used": [ + { + "tool_id": "unzip", + "platform": "linux", + "purpose": "Extract sample" + }, + { + "tool_id": "js-beautify", + "platform": "linux", + "purpose": "Format obfuscated JavaScript for readability" + }, + { + "tool_id": "visual-studio-code", + "platform": "linux", + "purpose": "Review beautified code" + }, + { + "tool_id": "spidermonkey", + "platform": "linux", + "purpose": "Execute JavaScript with objects.js to deobfuscate" + }, + { + "tool_id": "cscript", + "platform": "windows", + "purpose": "Execute JavaScript for AMSI monitoring" + }, + { + "tool_id": "logman", + "platform": "windows", + "purpose": "Start AMSI event trace session" + }, + { + "tool_id": "amsiscriptcontentretrieval", + "platform": "windows", + "purpose": "Extract monitored script content from AMSI logs" + }, + { + "tool_id": "notepadpp", + "platform": "windows", + "purpose": "View extracted AMSI output" + } + ], + "key_techniques": [ + "javascript-beautification", + "spidermonkey-execution", + "objects-js-simulation", + "amsi-monitoring" + ], + "tags": [ + "javascript", + "deobfuscation", + "spidermonkey", + "amsi" + ] + }, + { + "id": "3.7", + "section": 3, + "title": "Deobfuscating fgg.js Using SpiderMonkey", + "sample": "fgg.js", + "analysis_type": "javascript-deobfuscation", + "tools_used": [ + { + "tool_id": "unzip", + "platform": "linux", + "purpose": "Extract sample" + }, + { + "tool_id": "spidermonkey", + "platform": "linux", + "purpose": "Execute JavaScript (identify missing location.href)" + }, + { + "tool_id": "visual-studio-code", + "platform": "linux", + "purpose": "Edit objects.js to set location.href" + }, + { + "tool_id": "spidermonkey", + "platform": "linux", + "purpose": "Re-execute with modified objects.js to deobfuscate" + } + ], + "key_techniques": [ + "environment-simulation", + "objects-js-customization", + "location-href-spoofing" + ], + "prerequisite_labs": [ + "3.6" + ], + "tags": [ + "javascript", + "deobfuscation", + "spidermonkey" + ] + }, + { + "id": "3.8", + "section": 3, + "title": "Decoding the Initial Script with Fiddler and CyberChef", + "sample": "roomsvisitor.saz", + "analysis_type": "web-analysis", + "tools_used": [ + { + "tool_id": "fiddler", + "platform": "windows", + "purpose": "Load captured HTTP traffic and follow redirect chain" + }, + { + "tool_id": "notepadpp", + "platform": "windows", + "purpose": "View Base64-encoded PowerShell command" + }, + { + "tool_id": "cyberchef", + "platform": "both", + "purpose": "Decode Base64 and UTF-16LE to reveal PowerShell" + } + ], + "key_techniques": [ + "redirect-chain-analysis", + "base64-decoding", + "utf16-decoding", + "powershell-extraction" + ], + "prerequisite_labs": [ + "3.2" + ], + "tags": [ + "web", + "base64", + "powershell", + "cyberchef" + ] + }, + { + "id": "3.9", + "section": 3, + "title": "Decoding wrcaf.ps1 With Fiddler and PowerShell ISE", + "sample": "wrcaf.ps1", + "analysis_type": "powershell-analysis", + "tools_used": [ + { + "tool_id": "fiddler", + "platform": "windows", + "purpose": "Extract PowerShell script from HTTP traffic" + }, + { + "tool_id": "notepadpp", + "platform": "windows", + "purpose": "Initial script viewing" + }, + { + "tool_id": "powershell-ise", + "platform": "windows", + "purpose": "Debug script with breakpoints to extract decoded payload" + } + ], + "key_techniques": [ + "powershell-debugging", + "breakpoint-usage", + "variable-extraction", + "invoke-expression-interception" + ], + "prerequisite_labs": [ + "3.8" + ], + "tags": [ + "powershell", + "debugging", + "deobfuscation" + ] + }, + { + "id": "3.10", + "section": 3, + "title": "Examining Package.exe and iviewers.dll with PeStudio and x32dbg", + "sample": "Package.exe, iviewers.dll", + "analysis_type": "code-analysis", + "tools_used": [ + { + "tool_id": "fiddler", + "platform": "windows", + "purpose": "Extract Package.exe from HTTP traffic" + }, + { + "tool_id": "pestudio", + "platform": "windows", + "purpose": "Examine digital signature and PE properties" + }, + { + "tool_id": "x32dbg", + "platform": "windows", + "purpose": "Debug DLL loading and CreateProcessW calls" + }, + { + "tool_id": "notepadpp", + "platform": "windows", + "purpose": "View extracted PowerShell command parameters" + } + ], + "key_techniques": [ + "digital-signature-analysis", + "dll-sideloading", + "createprocess-breakpoints", + "multi-stage-payload" + ], + "prerequisite_labs": [ + "3.9" + ], + "tags": [ + "dll", + "debugging", + "digital-signature", + "sideloading" + ] + }, + { + "id": "3.11", + "section": 3, + "title": "Decoding iubn.ps1 With Fiddler and PowerShell ISE", + "sample": "iubn.ps1", + "analysis_type": "powershell-analysis", + "tools_used": [ + { + "tool_id": "fiddler", + "platform": "windows", + "purpose": "Extract PowerShell script from HTTP traffic" + }, + { + "tool_id": "notepadpp", + "platform": "windows", + "purpose": "Initial script examination" + }, + { + "tool_id": "powershell-ise", + "platform": "windows", + "purpose": "Debug and decode layered PowerShell" + } + ], + "key_techniques": [ + "powershell-debugging", + "invoke-expression-interception", + "out-file-extraction", + "dotnet-assembly-download" + ], + "prerequisite_labs": [ + "3.10" + ], + "tags": [ + "powershell", + "debugging", + "dotnet-loading" + ] + }, + { + "id": "3.12", + "section": 3, + "title": "Analyzing rwvg1.exe and its Artifacts with ILSpy and CyberChef", + "sample": "rwvg1.exe, ersyb.exe", + "analysis_type": "dotnet-analysis", + "tools_used": [ + { + "tool_id": "fiddler", + "platform": "windows", + "purpose": "Extract .NET assembly from HTTP traffic" + }, + { + "tool_id": "pestudio", + "platform": "windows", + "purpose": "Confirm .NET assembly" + }, + { + "tool_id": "ilspy", + "platform": "windows", + "purpose": "Decompile .NET to view C# source code" + }, + { + "tool_id": "cyberchef", + "platform": "both", + "purpose": "Decode Base64 + XOR payload" + }, + { + "tool_id": "exeinfo-pe", + "platform": "windows", + "purpose": "Identify second-stage .NET binary" + } + ], + "key_techniques": [ + "dotnet-decompilation", + "runtime-compilation-analysis", + "base64-xor-decoding", + "csharpcodeprovider-analysis" + ], + "prerequisite_labs": [ + "3.11" + ], + "tags": [ + "dotnet", + "decompilation", + "cyberchef", + "multi-stage" + ] + }, + { + "id": "4.1", + "section": 4, + "title": "Assessing the Packed brbbot.exe File", + "sample": "brbbot.exe (packed)", + "analysis_type": "unpacking", + "tools_used": [ + { + "tool_id": "unzip", + "platform": "linux", + "purpose": "Extract packed sample" + }, + { + "tool_id": "pestudio", + "platform": "windows", + "purpose": "Examine entropy, sections, and packing indicators" + }, + { + "tool_id": "diec", + "platform": "linux", + "purpose": "Identify packer (UPX detection)" + } + ], + "key_techniques": [ + "entropy-analysis", + "section-examination", + "packer-identification" + ], + "tags": [ + "packing", + "entropy", + "detection", + "triage" + ] + }, + { + "id": "4.2", + "section": 4, + "title": "Dumping and Fixing brbbot.exe Using Scylla", + "sample": "brbbot.exe (packed)", + "analysis_type": "unpacking", + "tools_used": [ + { + "tool_id": "upx", + "platform": "linux", + "purpose": "Attempt automated unpacking (fails \u2014 modified UPX)" + }, + { + "tool_id": "setdllcharacteristics", + "platform": "windows", + "purpose": "Disable ASLR for consistent memory addresses" + }, + { + "tool_id": "system-informer", + "platform": "windows", + "purpose": "Verify process is running after infection" + }, + { + "tool_id": "scylla", + "platform": "windows", + "purpose": "Dump unpacked process from memory and fix IAT" + }, + { + "tool_id": "pestudio", + "platform": "windows", + "purpose": "Verify dumped file is valid PE" + } + ], + "key_techniques": [ + "aslr-disabling", + "process-dumping", + "iat-reconstruction", + "scylla-workflow" + ], + "prerequisite_labs": [ + "4.1" + ], + "tags": [ + "unpacking", + "scylla", + "iat", + "memory-dump" + ] + }, + { + "id": "4.3", + "section": 4, + "title": "Unpacking brbbot.exe by Using x64dbg and OllyDumpEx", + "sample": "brbbot.exe (packed)", + "analysis_type": "unpacking", + "tools_used": [ + { + "tool_id": "x64dbg", + "platform": "windows", + "purpose": "Debug to locate unpacker JMP to OEP" + }, + { + "tool_id": "ollydumpex", + "platform": "windows", + "purpose": "Dump unpacked process from within debugger" + }, + { + "tool_id": "scylla", + "platform": "windows", + "purpose": "Fix IAT in dumped executable (as x64dbg plugin)" + } + ], + "key_techniques": [ + "oep-detection", + "unpacker-breakpoints", + "memory-dumping", + "iat-fixing" + ], + "prerequisite_labs": [ + "4.1" + ], + "tags": [ + "unpacking", + "debugger", + "oep", + "ollydumpex" + ] + }, + { + "id": "4.4", + "section": 4, + "title": "Debugging the Packed Version of brbbot.exe", + "sample": "brbbot.exe (packed)", + "analysis_type": "debugging", + "tools_used": [ + { + "tool_id": "x64dbg", + "platform": "windows", + "purpose": "Set hardware breakpoints on CryptDecrypt to analyze packed runtime behavior" + } + ], + "key_techniques": [ + "hardware-breakpoints", + "api-interception", + "packed-runtime-analysis" + ], + "prerequisite_labs": [ + "4.1" + ], + "tags": [ + "debugging", + "packed-malware", + "hardware-breakpoints" + ] + }, + { + "id": "4.5", + "section": 4, + "title": "Analyzing Multi-Technology Specimen PDFXCview.exe", + "sample": "PDFXCview.exe", + "analysis_type": "code-analysis", + "tools_used": [ + { + "tool_id": "system-informer", + "platform": "windows", + "purpose": "Monitor process creation and child processes" + }, + { + "tool_id": "process-monitor", + "platform": "windows", + "purpose": "Capture file system and registry activity" + }, + { + "tool_id": "procdot", + "platform": "windows", + "purpose": "Visualize multi-stage execution" + }, + { + "tool_id": "regedit", + "platform": "windows", + "purpose": "Examine registry keys created by malware" + }, + { + "tool_id": "reg-export", + "platform": "windows", + "purpose": "Extract JavaScript stored in registry to file" + }, + { + "tool_id": "winscp", + "platform": "windows", + "purpose": "Transfer artifacts to REMnux for analysis" + }, + { + "tool_id": "spidermonkey", + "platform": "linux", + "purpose": "Deobfuscate JavaScript component" + }, + { + "tool_id": "js-beautify", + "platform": "linux", + "purpose": "Format decoded JavaScript for readability" + }, + { + "tool_id": "visual-studio-code", + "platform": "linux", + "purpose": "View and analyze decoded scripts" + }, + { + "tool_id": "base64dump-py", + "platform": "linux", + "purpose": "Decode Base64-encoded payloads" + }, + { + "tool_id": "notepadpp", + "platform": "windows", + "purpose": "View decoded scripts" + }, + { + "tool_id": "powershell-ise", + "platform": "windows", + "purpose": "Debug PowerShell component" + } + ], + "key_techniques": [ + "multi-technology-analysis", + "registry-based-malware", + "fileless-techniques", + "cross-platform-workflow" + ], + "tags": [ + "multi-stage", + "javascript", + "powershell", + "behavioral" + ] + }, + { + "id": "4.6", + "section": 4, + "title": "Examining Capabilities of Shellcode Used by PDFXCview.exe", + "sample": "Shellcode from PDFXCview.exe", + "analysis_type": "shellcode-analysis", + "tools_used": [ + { + "tool_id": "scdbgc", + "platform": "both", + "purpose": "Emulate shellcode to identify API calls" + }, + { + "tool_id": "runsc32", + "platform": "windows", + "purpose": "Execute shellcode for dynamic analysis" + }, + { + "tool_id": "x32dbg", + "platform": "windows", + "purpose": "Debug shellcode execution and examine parameters" + } + ], + "key_techniques": [ + "shellcode-emulation", + "shellcode-debugging", + "api-parameter-analysis" + ], + "prerequisite_labs": [ + "4.5" + ], + "tags": [ + "shellcode", + "emulation", + "debugging" + ] + }, + { + "id": "4.7", + "section": 4, + "title": "Unpacking Shellcode That Was Used by PDFXCview.exe", + "sample": "Shellcode from PDFXCview.exe", + "analysis_type": "shellcode-analysis", + "tools_used": [ + { + "tool_id": "x32dbg", + "platform": "windows", + "purpose": "Set breakpoints on VirtualAlloc to track memory allocation" + }, + { + "tool_id": "pestudio", + "platform": "windows", + "purpose": "Verify dumped PE from allocated memory" + } + ], + "key_techniques": [ + "virtualalloc-breakpoints", + "multi-stage-shellcode", + "memory-dumping" + ], + "prerequisite_labs": [ + "4.6" + ], + "tags": [ + "shellcode", + "unpacking", + "virtualalloc" + ] + }, + { + "id": "4.8", + "section": 4, + "title": "Examining .NET Malware chatroom.exe", + "sample": "chatroom.exe", + "analysis_type": "dotnet-analysis", + "tools_used": [ + { + "tool_id": "unzip", + "platform": "linux", + "purpose": "Extract sample" + }, + { + "tool_id": "peframe", + "platform": "linux", + "purpose": "Identify as .NET with high entropy (packed)" + }, + { + "tool_id": "pestr", + "platform": "linux", + "purpose": "Extract strings" + }, + { + "tool_id": "ilspycmd", + "platform": "linux", + "purpose": "Decompile .NET assembly on command line" + }, + { + "tool_id": "visual-studio-code", + "platform": "linux", + "purpose": "Search decompiled code for Assembly.Load" + }, + { + "tool_id": "dnspyex", + "platform": "windows", + "purpose": "Debug .NET with breakpoints to extract in-memory assembly" + }, + { + "tool_id": "pestudio", + "platform": "windows", + "purpose": "Examine dumped assembly" + }, + { + "tool_id": "ilspy", + "platform": "windows", + "purpose": "Decompile dumped assembly" + }, + { + "tool_id": "de4dot", + "platform": "windows", + "purpose": "Deobfuscate .NET assembly" + } + ], + "key_techniques": [ + "dotnet-decompilation", + "reflective-loading-detection", + "assembly-load-breakpoints", + "in-memory-dumping", + "dotnet-deobfuscation" + ], + "tags": [ + "dotnet", + "debugging", + "deobfuscation", + "reflective-loading" + ] + }, + { + "id": "4.9", + "section": 4, + "title": "Examining Code Injection Capabilities of great.exe", + "sample": "great.exe", + "analysis_type": "code-injection", + "tools_used": [ + { + "tool_id": "ghidra", + "platform": "windows", + "purpose": "Analyze CreateRemoteThread, VirtualAllocEx, and process enumeration code" + } + ], + "key_techniques": [ + "createremotethread-analysis", + "virtualallocex-identification", + "process-enumeration", + "createtoolhelp32snapshot" + ], + "prerequisite_labs": [ + "2.1" + ], + "tags": [ + "code-injection", + "api-analysis", + "ghidra" + ] + }, + { + "id": "5.1", + "section": 5, + "title": "Patching getdown.exe to Bypass Debugger Detection", + "sample": "getdown.exe", + "analysis_type": "anti-analysis", + "tools_used": [ + { + "tool_id": "wireshark", + "platform": "linux", + "purpose": "Monitor network traffic" + }, + { + "tool_id": "system-informer", + "platform": "windows", + "purpose": "Monitor process behavior" + }, + { + "tool_id": "x64dbg", + "platform": "windows", + "purpose": "Identify and patch IsDebuggerPresent check" + } + ], + "key_techniques": [ + "isdebuggerpresent-bypass", + "instruction-patching", + "conditional-jump-modification" + ], + "tags": [ + "anti-debugging", + "patching", + "isdebuggerpresent" + ] + }, + { + "id": "5.2", + "section": 5, + "title": "Deobfuscating Strings Encoded Using Simple and Common Algorithms", + "sample": "getdown.exe, hubert.dll, 9.exe", + "analysis_type": "string-deobfuscation", + "tools_used": [ + { + "tool_id": "unzip", + "platform": "linux", + "purpose": "Extract samples" + }, + { + "tool_id": "xorsearch", + "platform": "linux", + "purpose": "Search for XOR-encoded patterns" + }, + { + "tool_id": "strings", + "platform": "linux", + "purpose": "Extract readable strings" + }, + { + "tool_id": "brxor-py", + "platform": "linux", + "purpose": "Brute-force XOR key detection" + }, + { + "tool_id": "bbcrack", + "platform": "linux", + "purpose": "Detect XOR/ROL/ADD obfuscation algorithms" + }, + { + "tool_id": "ghidra", + "platform": "windows", + "purpose": "Analyze deobfuscation routines in code" + }, + { + "tool_id": "strdeob-pl", + "platform": "linux", + "purpose": "Decode stack-built strings" + }, + { + "tool_id": "floss", + "platform": "linux", + "purpose": "Automatically extract all obfuscated strings" + }, + { + "tool_id": "visual-studio-code", + "platform": "linux", + "purpose": "View deobfuscation results" + } + ], + "key_techniques": [ + "xor-brute-forcing", + "stack-string-decoding", + "automated-string-extraction", + "obfuscation-algorithm-identification" + ], + "prerequisite_labs": [ + "2.1" + ], + "tags": [ + "strings", + "xor", + "deobfuscation", + "floss" + ] + }, + { + "id": "5.3", + "section": 5, + "title": "Unpacking drtg.exe", + "sample": "drtg.exe", + "analysis_type": "unpacking", + "tools_used": [ + { + "tool_id": "unzip", + "platform": "linux", + "purpose": "Extract sample" + }, + { + "tool_id": "floss", + "platform": "linux", + "purpose": "Extract strings to assess packing" + }, + { + "tool_id": "visual-studio-code", + "platform": "linux", + "purpose": "View FLOSS output" + }, + { + "tool_id": "x32dbg", + "platform": "windows", + "purpose": "Debug with RtlDecompressBuffer breakpoints" + }, + { + "tool_id": "scyllahide", + "platform": "windows", + "purpose": "Hide debugger from anti-debugging checks" + }, + { + "tool_id": "pestudio", + "platform": "windows", + "purpose": "Verify unpacked dump" + } + ], + "key_techniques": [ + "rtldecompressbuffer-interception", + "debugger-hiding", + "exception-configuration", + "memory-dumping" + ], + "prerequisite_labs": [ + "5.2" + ], + "tags": [ + "unpacking", + "anti-debugging", + "decompression" + ] + }, + { + "id": "5.4", + "section": 5, + "title": "Unpacking WinHost32.exe", + "sample": "WinHost32.exe", + "analysis_type": "unpacking", + "tools_used": [ + { + "tool_id": "unzip", + "platform": "linux", + "purpose": "Extract sample" + }, + { + "tool_id": "capa", + "platform": "linux", + "purpose": "Identify process hollowing capability" + }, + { + "tool_id": "ghidra", + "platform": "windows", + "purpose": "Analyze CreateProcess(SUSPENDED), VirtualAllocEx, WriteProcessMemory" + }, + { + "tool_id": "x32dbg", + "platform": "windows", + "purpose": "Set breakpoint on WriteProcessMemory to catch injected PE" + }, + { + "tool_id": "pestudio", + "platform": "windows", + "purpose": "Verify dumped PE from process hollowing" + } + ], + "key_techniques": [ + "process-hollowing-detection", + "create-suspended-analysis", + "writeprocessmemory-breakpoints", + "ntunmapviewofsection" + ], + "prerequisite_labs": [ + "5.3" + ], + "tags": [ + "process-hollowing", + "code-injection", + "unpacking" + ] + }, + { + "id": "5.5", + "section": 5, + "title": "Examining the Anti-Sandbox Defensive Capability of vbprop.exe", + "sample": "vbprop.exe", + "analysis_type": "anti-analysis", + "tools_used": [ + { + "tool_id": "ghidra", + "platform": "windows", + "purpose": "Analyze SetWindowsHookExA for mouse event interception" + }, + { + "tool_id": "x32dbg", + "platform": "windows", + "purpose": "Debug hook installation and handler" + } + ], + "key_techniques": [ + "setwindowshookex-analysis", + "mouse-hook-detection", + "sandbox-evasion" + ], + "prerequisite_labs": [ + "2.1" + ], + "tags": [ + "anti-sandbox", + "hooks", + "evasion" + ] + }, + { + "id": "5.6", + "section": 5, + "title": "Examining the Toolkit Detection Capabilities of raas.exe", + "sample": "raas.exe", + "analysis_type": "anti-analysis", + "tools_used": [ + { + "tool_id": "x32dbg", + "platform": "windows", + "purpose": "Step through toolkit detection routines" + }, + { + "tool_id": "scyllahide", + "platform": "windows", + "purpose": "Hide debugger from detection checks" + } + ], + "key_techniques": [ + "getmodulehandle-checks", + "findwindow-checks", + "process-enumeration", + "registry-vm-detection", + "blockinput-bypass" + ], + "prerequisite_labs": [ + "2.1" + ], + "tags": [ + "anti-analysis", + "toolkit-detection", + "vm-detection" + ] + }, + { + "id": "5.7", + "section": 5, + "title": "Understanding the SEH Defense in want.exe", + "sample": "want.exe", + "analysis_type": "anti-analysis", + "tools_used": [ + { + "tool_id": "x32dbg", + "platform": "windows", + "purpose": "Analyze SEH chain setup and exception handler execution" + } + ], + "key_techniques": [ + "seh-manipulation", + "exception-handler-analysis", + "fs-segment-usage", + "seh-breakpoints" + ], + "prerequisite_labs": [ + "2.1" + ], + "tags": [ + "seh", + "anti-analysis", + "exception-handling" + ] + }, + { + "id": "5.8", + "section": 5, + "title": "Unpacking want.exe Using a Stack Breakpoint", + "sample": "want.exe", + "analysis_type": "unpacking", + "tools_used": [ + { + "tool_id": "x32dbg", + "platform": "windows", + "purpose": "Set stack breakpoint to detect unpacking completion" + }, + { + "tool_id": "ollydumpex", + "platform": "windows", + "purpose": "Dump unpacked process from memory" + }, + { + "tool_id": "scylla", + "platform": "windows", + "purpose": "Reconstruct IAT in dumped executable" + }, + { + "tool_id": "pestudio", + "platform": "windows", + "purpose": "Verify unpacked PE" + } + ], + "key_techniques": [ + "stack-breakpoints", + "oep-detection-via-stack", + "memory-dumping", + "iat-reconstruction" + ], + "prerequisite_labs": [ + "5.7" + ], + "tags": [ + "unpacking", + "stack-breakpoint", + "seh" + ] + }, + { + "id": "5.9", + "section": 5, + "title": "Bypassing Self-Defensive Measures in lansrv.exe", + "sample": "lansrv.exe", + "analysis_type": "anti-analysis", + "tools_used": [ + { + "tool_id": "pestudio", + "platform": "windows", + "purpose": "Identify TLS callback in thread-local-storage section" + }, + { + "tool_id": "x32dbg", + "platform": "windows", + "purpose": "Debug TLS callback, patch IsDebuggerPresent, fix GS segment override" + } + ], + "key_techniques": [ + "tls-callback-analysis", + "isdebuggerpresent-bypass", + "segment-register-patching", + "xor-decoding-loop", + "multi-defense-bypass" + ], + "prerequisite_labs": [ + "2.1" + ], + "tags": [ + "tls-callback", + "anti-debugging", + "patching", + "multi-defense" + ] + }, + { + "id": "5.10", + "section": 5, + "title": "Unpacking yep.exe with the Help of x32dbg and pe_unmapper", + "sample": "yep.exe", + "analysis_type": "unpacking", + "tools_used": [ + { + "tool_id": "pestudio", + "platform": "windows", + "purpose": "Initial analysis \u2014 note gibberish strings indicating packing" + }, + { + "tool_id": "x32dbg", + "platform": "windows", + "purpose": "Set breakpoints on LoadLibraryA and VirtualProtect" + }, + { + "tool_id": "xanalyzer", + "platform": "windows", + "purpose": "Enhanced analysis showing API parameters" + }, + { + "tool_id": "pe-unmapper", + "platform": "windows", + "purpose": "Convert virtual-aligned dump to raw alignment" + }, + { + "tool_id": "scylla", + "platform": "windows", + "purpose": "Fix IAT in unmapped executable" + } + ], + "key_techniques": [ + "loadlibrary-breakpoints", + "virtualprotect-breakpoints", + "memory-region-dumping", + "virtual-to-raw-alignment", + "oep-anticipation" + ], + "prerequisite_labs": [ + "5.8" + ], + "tags": [ + "unpacking", + "pe-unmapper", + "virtualprotect", + "loadlibrary" + ] + } + ] +} \ No newline at end of file diff --git a/data/generated/tldr/1768.py.md b/data/generated/tldr/1768.py.md new file mode 100644 index 0000000..5b65edf --- /dev/null +++ b/data/generated/tldr/1768.py.md @@ -0,0 +1,7 @@ +# 1768.py + +> Parse Cobalt Strike beacon configuration from shellcode or memory dumps + +- Run 1768.py: + +`1768.py shellcode.bin` diff --git a/data/generated/tldr/7-zip.md b/data/generated/tldr/7-zip.md new file mode 100644 index 0000000..14eed51 --- /dev/null +++ b/data/generated/tldr/7-zip.md @@ -0,0 +1,7 @@ +# 7-Zip + +> Compress and decompress files using a variety of algorithms. + +- Run 7-Zip: + +`7-Zip --help` diff --git a/data/generated/tldr/aeskeyfinder.md b/data/generated/tldr/aeskeyfinder.md new file mode 100644 index 0000000..5aa4922 --- /dev/null +++ b/data/generated/tldr/aeskeyfinder.md @@ -0,0 +1,7 @@ +# AESKeyFinder + +> Find 128-bit and 256-bit AES keys in a memory image. + +- Run AESKeyFinder: + +`AESKeyFinder --help` diff --git a/data/generated/tldr/androguard.md b/data/generated/tldr/androguard.md new file mode 100644 index 0000000..40e08ea --- /dev/null +++ b/data/generated/tldr/androguard.md @@ -0,0 +1,15 @@ +# androguard + +> Analyze Android APK files — extract permissions, activities, intents, and decompile DEX code + +- Run androguard: + +`androguard analyze ` + +- Run androguard: + +`androguard decompile -o output/ ` + +- Run androguard: + +`androgui.py ` diff --git a/data/generated/tldr/androidprojectcreator.md b/data/generated/tldr/androidprojectcreator.md new file mode 100644 index 0000000..3fa2ca5 --- /dev/null +++ b/data/generated/tldr/androidprojectcreator.md @@ -0,0 +1,7 @@ +# AndroidProjectCreator + +> Convert an Android APK application file into an Android Studio project for easier analysis. + +- Run AndroidProjectCreator: + +`AndroidProjectCreator --help` diff --git a/data/generated/tldr/anomy.md b/data/generated/tldr/anomy.md new file mode 100644 index 0000000..c5e9cb1 --- /dev/null +++ b/data/generated/tldr/anomy.md @@ -0,0 +1,7 @@ +# anomy + +> A wrapper around wget, ssh, sftp, ftp, and telnet to route these connections through Tor to anonymize your traffic. + +- Run anomy: + +`anomy --help` diff --git a/data/generated/tldr/apkid.md b/data/generated/tldr/apkid.md new file mode 100644 index 0000000..8eb9105 --- /dev/null +++ b/data/generated/tldr/apkid.md @@ -0,0 +1,7 @@ +# apkid + +> Identify compilers, packers, and obfuscators used to protect Android APK and DEX files. + +- Run apkid: + +`apkid --help` diff --git a/data/generated/tldr/apktool.md b/data/generated/tldr/apktool.md new file mode 100644 index 0000000..dace5a4 --- /dev/null +++ b/data/generated/tldr/apktool.md @@ -0,0 +1,11 @@ +# apktool + +> Decompile and recompile Android APK files — extract resources, smali code, and manifest + +- Run apktool: + +`apktool d -o output/` + +- Run apktool: + +`apktool b output/ -o rebuilt.apk` diff --git a/data/generated/tldr/autoit-ripper.md b/data/generated/tldr/autoit-ripper.md new file mode 100644 index 0000000..b9b30cf --- /dev/null +++ b/data/generated/tldr/autoit-ripper.md @@ -0,0 +1,7 @@ +# autoit-ripper + +> Extract AutoIt scripts embedded in PE binaries. + +- Run autoit-ripper: + +`autoit-ripper --help` diff --git a/data/generated/tldr/baksmali.md b/data/generated/tldr/baksmali.md new file mode 100644 index 0000000..862a1c3 --- /dev/null +++ b/data/generated/tldr/baksmali.md @@ -0,0 +1,7 @@ +# baksmali + +> Disassembler for the dex format used by Dalvik, Android's Java VM implementation. + +- Run baksmali: + +`baksmali --help` diff --git a/data/generated/tldr/balbuzard.md b/data/generated/tldr/balbuzard.md new file mode 100644 index 0000000..21c401f --- /dev/null +++ b/data/generated/tldr/balbuzard.md @@ -0,0 +1,7 @@ +# balbuzard + +> Extract and deobfuscate patterns from suspicious files. + +- Run balbuzard: + +`balbuzard --help` diff --git a/data/generated/tldr/base64dump.py.md b/data/generated/tldr/base64dump.py.md new file mode 100644 index 0000000..a421532 --- /dev/null +++ b/data/generated/tldr/base64dump.py.md @@ -0,0 +1,15 @@ +# base64dump.py + +> Extract and decode Base64-encoded strings from files + +- Run base64dump.py: + +`base64dump.py file.txt` + +- Run base64dump.py: + +`base64dump.py file.ps1 -n 10` + +- Run base64dump.py: + +`base64dump.py file.ps1 -s 2 -d` diff --git a/data/generated/tldr/bbcrack.md b/data/generated/tldr/bbcrack.md new file mode 100644 index 0000000..ffeaec9 --- /dev/null +++ b/data/generated/tldr/bbcrack.md @@ -0,0 +1,7 @@ +# bbcrack + +> Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms + +- Run bbcrack: + +`bbcrack -l 1 specimen.dll` diff --git a/data/generated/tldr/binee--binary-emulation-environment.md b/data/generated/tldr/binee--binary-emulation-environment.md new file mode 100644 index 0000000..a6a4b88 --- /dev/null +++ b/data/generated/tldr/binee--binary-emulation-environment.md @@ -0,0 +1,7 @@ +# binee (Binary Emulation Environment) + +> Analyze I/O operations of a suspicious PE file by emulating its execution. + +- Run binee (Binary Emulation Environment): + +`binee (Binary Emulation Environment) --help` diff --git a/data/generated/tldr/binwalk.md b/data/generated/tldr/binwalk.md new file mode 100644 index 0000000..7c9e889 --- /dev/null +++ b/data/generated/tldr/binwalk.md @@ -0,0 +1,11 @@ +# binwalk + +> Analyze and extract embedded files and firmware images + +- Run binwalk: + +`binwalk firmware.bin` + +- Run binwalk: + +`binwalk -e firmware.bin` diff --git a/data/generated/tldr/box-js.md b/data/generated/tldr/box-js.md new file mode 100644 index 0000000..f496165 --- /dev/null +++ b/data/generated/tldr/box-js.md @@ -0,0 +1,7 @@ +# box-js + +> JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript APIs + +- Run box-js: + +`box-js --output-dir=/tmp suspicious.js` diff --git a/data/generated/tldr/brxor.py.md b/data/generated/tldr/brxor.py.md new file mode 100644 index 0000000..26586c1 --- /dev/null +++ b/data/generated/tldr/brxor.py.md @@ -0,0 +1,7 @@ +# brxor.py + +> Brute-force XOR key detection for single-byte XOR-encoded strings + +- Run brxor.py: + +`brxor.py specimen.dll` diff --git a/data/generated/tldr/bulk-extractor.md b/data/generated/tldr/bulk-extractor.md new file mode 100644 index 0000000..fabeaa4 --- /dev/null +++ b/data/generated/tldr/bulk-extractor.md @@ -0,0 +1,7 @@ +# bulk-extractor + +> Extract interesting strings from binary files. + +- Run bulk-extractor: + +`bulk-extractor --help` diff --git a/data/generated/tldr/burp-suite-community-edition.md b/data/generated/tldr/burp-suite-community-edition.md new file mode 100644 index 0000000..c12ee1f --- /dev/null +++ b/data/generated/tldr/burp-suite-community-edition.md @@ -0,0 +1,7 @@ +# Burp Suite Community Edition + +> Investigate website interactions using this web proxy. + +- Run Burp Suite Community Edition: + +`Burp Suite Community Edition --help` diff --git a/data/generated/tldr/bytehist.md b/data/generated/tldr/bytehist.md new file mode 100644 index 0000000..bb40ff9 --- /dev/null +++ b/data/generated/tldr/bytehist.md @@ -0,0 +1,7 @@ +# Bytehist + +> Generate byte-usage histograms to visually identify packed or encrypted sections in binaries + +- Run Bytehist: + +`bytehist specimen.exe` diff --git a/data/generated/tldr/cabextract.md b/data/generated/tldr/cabextract.md new file mode 100644 index 0000000..84d6452 --- /dev/null +++ b/data/generated/tldr/cabextract.md @@ -0,0 +1,7 @@ +# cabextract + +> Extract Microsoft cabinet (cab) files. + +- Run cabextract: + +`cabextract --help` diff --git a/data/generated/tldr/capa.md b/data/generated/tldr/capa.md new file mode 100644 index 0000000..459470b --- /dev/null +++ b/data/generated/tldr/capa.md @@ -0,0 +1,15 @@ +# capa + +> Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog + +- Run capa: + +`capa specimen.exe` + +- Run capa: + +`capa -vv specimen.exe` + +- Run capa: + +`capa -vv specimen.exe | grep -A7 'Suspended Process'` diff --git a/data/generated/tldr/cast.md b/data/generated/tldr/cast.md new file mode 100644 index 0000000..85f9b54 --- /dev/null +++ b/data/generated/tldr/cast.md @@ -0,0 +1,7 @@ +# cast + +> Install and manage SaltStack-based Linux distributions. + +- Run cast: + +`cast --help` diff --git a/data/generated/tldr/cfr.md b/data/generated/tldr/cfr.md new file mode 100644 index 0000000..ff68266 --- /dev/null +++ b/data/generated/tldr/cfr.md @@ -0,0 +1,11 @@ +# cfr + +> Modern Java decompiler — handles Java 8+ features including lambdas and try-with-resources + +- Run cfr: + +`cfr --outputdir output/` + +- Run cfr: + +`cfr ` diff --git a/data/generated/tldr/chepy.md b/data/generated/tldr/chepy.md new file mode 100644 index 0000000..943c4cd --- /dev/null +++ b/data/generated/tldr/chepy.md @@ -0,0 +1,7 @@ +# chepy + +> Decode and otherwise analyze data using this command-line tool and Python library. + +- Run chepy: + +`chepy --help` diff --git a/data/generated/tldr/clamav.md b/data/generated/tldr/clamav.md new file mode 100644 index 0000000..3f4e69d --- /dev/null +++ b/data/generated/tldr/clamav.md @@ -0,0 +1,15 @@ +# ClamAV + +> Open-source antivirus — scan files for known malware signatures + +- Run ClamAV: + +`clamscan ` + +- Run ClamAV: + +`clamscan -r /` + +- Run ClamAV: + +`freshclam` diff --git a/data/generated/tldr/cobalt-strike-configuration-extractor--csce--and-parser.md b/data/generated/tldr/cobalt-strike-configuration-extractor--csce--and-parser.md new file mode 100644 index 0000000..af0b90a --- /dev/null +++ b/data/generated/tldr/cobalt-strike-configuration-extractor--csce--and-parser.md @@ -0,0 +1,7 @@ +# Cobalt Strike Configuration Extractor (CSCE) and Parser + +> Analyze Cobalt Strike beacons. + +- Run Cobalt Strike Configuration Extractor (CSCE) and Parser: + +`Cobalt Strike Configuration Extractor (CSCE) and Parser --help` diff --git a/data/generated/tldr/cs-analyze-processdump.py.md b/data/generated/tldr/cs-analyze-processdump.py.md new file mode 100644 index 0000000..285c9a9 --- /dev/null +++ b/data/generated/tldr/cs-analyze-processdump.py.md @@ -0,0 +1,7 @@ +# cs-analyze-processdump.py + +> Analyze Cobalt Strike beacon process dumps for sleep mask encoding + +- Run cs-analyze-processdump.py: + +`cs-analyze-processdump.py ` diff --git a/data/generated/tldr/cs-decrypt-metadata.py.md b/data/generated/tldr/cs-decrypt-metadata.py.md new file mode 100644 index 0000000..e197237 --- /dev/null +++ b/data/generated/tldr/cs-decrypt-metadata.py.md @@ -0,0 +1,7 @@ +# cs-decrypt-metadata.py + +> Decrypt Cobalt Strike beacon metadata from network captures + +- Run cs-decrypt-metadata.py: + +`cs-decrypt-metadata.py ` diff --git a/data/generated/tldr/cs-extract-key.py.md b/data/generated/tldr/cs-extract-key.py.md new file mode 100644 index 0000000..709476e --- /dev/null +++ b/data/generated/tldr/cs-extract-key.py.md @@ -0,0 +1,7 @@ +# cs-extract-key.py + +> Extract AES and HMAC encryption keys from Cobalt Strike beacon process memory dumps + +- Run cs-extract-key.py: + +`cs-extract-key.py -f ` diff --git a/data/generated/tldr/cs-parse-traffic.py.md b/data/generated/tldr/cs-parse-traffic.py.md new file mode 100644 index 0000000..f1b8c15 --- /dev/null +++ b/data/generated/tldr/cs-parse-traffic.py.md @@ -0,0 +1,7 @@ +# cs-parse-traffic.py + +> Decrypt and parse Cobalt Strike beacon network traffic using extracted keys + +- Run cs-parse-traffic.py: + +`cs-parse-traffic.py -f -k ` diff --git a/data/generated/tldr/curl.md b/data/generated/tldr/curl.md new file mode 100644 index 0000000..ec1744f --- /dev/null +++ b/data/generated/tldr/curl.md @@ -0,0 +1,11 @@ +# curl + +> Transfer data to/from servers using various protocols + +- Run curl: + +`curl -L http://example.com` + +- Run curl: + +`curl -o output.bin http://example.com/file` diff --git a/data/generated/tldr/cut-bytes.py.md b/data/generated/tldr/cut-bytes.py.md new file mode 100644 index 0000000..da7ffd0 --- /dev/null +++ b/data/generated/tldr/cut-bytes.py.md @@ -0,0 +1,7 @@ +# cut-bytes.py + +> Cut out a part of a data stream. + +- Run cut-bytes.py: + +`cut-bytes.py --help` diff --git a/data/generated/tldr/cutter.md b/data/generated/tldr/cutter.md new file mode 100644 index 0000000..a1685e6 --- /dev/null +++ b/data/generated/tldr/cutter.md @@ -0,0 +1,7 @@ +# Cutter + +> Open-source reverse engineering platform — Qt-based GUI for radare2 + +- Run Cutter: + +`cutter specimen.exe` diff --git a/data/generated/tldr/cyberchef.md b/data/generated/tldr/cyberchef.md new file mode 100644 index 0000000..5064ab1 --- /dev/null +++ b/data/generated/tldr/cyberchef.md @@ -0,0 +1,7 @@ +# CyberChef + +> Web-based data transformation tool — decode Base64, XOR, hex, decompress, and chain operations + +- Run CyberChef: + +`cyberchef` diff --git a/data/generated/tldr/dc3-mwcp.md b/data/generated/tldr/dc3-mwcp.md new file mode 100644 index 0000000..f0917f6 --- /dev/null +++ b/data/generated/tldr/dc3-mwcp.md @@ -0,0 +1,11 @@ +# dc3-mwcp + +> DC3 Malware Configuration Parser — extract C2 configs from known malware families + +- Run dc3-mwcp: + +`mwcp parse ` + +- Run dc3-mwcp: + +`mwcp parse -p Emotet ` diff --git a/data/generated/tldr/de4dot.md b/data/generated/tldr/de4dot.md new file mode 100644 index 0000000..bfdaa73 --- /dev/null +++ b/data/generated/tldr/de4dot.md @@ -0,0 +1,7 @@ +# de4dot + +> .NET deobfuscator — remove obfuscation from .NET assemblies + +- Run de4dot: + +`de4dot obfuscated.exe` diff --git a/data/generated/tldr/decode-vbe.py.md b/data/generated/tldr/decode-vbe.py.md new file mode 100644 index 0000000..9129148 --- /dev/null +++ b/data/generated/tldr/decode-vbe.py.md @@ -0,0 +1,7 @@ +# decode-vbe.py + +> Decode encoded VBS scripts (VBE). + +- Run decode-vbe.py: + +`decode-vbe.py --help` diff --git a/data/generated/tldr/decompyle.md b/data/generated/tldr/decompyle.md new file mode 100644 index 0000000..2a1525d --- /dev/null +++ b/data/generated/tldr/decompyle.md @@ -0,0 +1,7 @@ +# Decompyle++ + +> Python bytecode disassembler and decompiler. + +- Run Decompyle++: + +`Decompyle++ --help` diff --git a/data/generated/tldr/dex2jar.md b/data/generated/tldr/dex2jar.md new file mode 100644 index 0000000..2b2aa60 --- /dev/null +++ b/data/generated/tldr/dex2jar.md @@ -0,0 +1,7 @@ +# dex2jar + +> Examine Dalvik Executable (dex) files. + +- Run dex2jar: + +`dex2jar --help` diff --git a/data/generated/tldr/dexray.md b/data/generated/tldr/dexray.md new file mode 100644 index 0000000..d4da7bc --- /dev/null +++ b/data/generated/tldr/dexray.md @@ -0,0 +1,7 @@ +# dexray + +> Extract and decode data from antivirus quarantine files. + +- Run dexray: + +`dexray --help` diff --git a/data/generated/tldr/diec.md b/data/generated/tldr/diec.md new file mode 100644 index 0000000..b598fc9 --- /dev/null +++ b/data/generated/tldr/diec.md @@ -0,0 +1,7 @@ +# diec + +> Detect packers, compilers, and tools used to create executables + +- Run diec: + +`diec specimen.exe` diff --git a/data/generated/tldr/disitool.md b/data/generated/tldr/disitool.md new file mode 100644 index 0000000..1457705 --- /dev/null +++ b/data/generated/tldr/disitool.md @@ -0,0 +1,7 @@ +# disitool + +> Manipulate embedded digital signatures. + +- Run disitool: + +`disitool --help` diff --git a/data/generated/tldr/dissect.md b/data/generated/tldr/dissect.md new file mode 100644 index 0000000..811ca66 --- /dev/null +++ b/data/generated/tldr/dissect.md @@ -0,0 +1,7 @@ +# dissect + +> Perform a variety of forensics and incident response tasks using this DFIR framework and toolset. + +- Run dissect: + +`dissect --help` diff --git a/data/generated/tldr/dnfile.md b/data/generated/tldr/dnfile.md new file mode 100644 index 0000000..81cb847 --- /dev/null +++ b/data/generated/tldr/dnfile.md @@ -0,0 +1,7 @@ +# dnfile + +> Analyze static properties of. + +- Run dnfile: + +`dnfile --help` diff --git a/data/generated/tldr/dnslib.md b/data/generated/tldr/dnslib.md new file mode 100644 index 0000000..0b3b4ea --- /dev/null +++ b/data/generated/tldr/dnslib.md @@ -0,0 +1,7 @@ +# dnslib + +> Python library to encode/decode DNS wire-format packets. + +- Run dnslib: + +`dnslib --help` diff --git a/data/generated/tldr/dnsresolver.py.md b/data/generated/tldr/dnsresolver.py.md new file mode 100644 index 0000000..bed7a72 --- /dev/null +++ b/data/generated/tldr/dnsresolver.py.md @@ -0,0 +1,7 @@ +# dnsresolver.py + +> DNS resolver tool for dynamic analysis with wildcard and tracking support. + +- Run dnsresolver.py: + +`dnsresolver.py --help` diff --git a/data/generated/tldr/docker.md b/data/generated/tldr/docker.md new file mode 100644 index 0000000..2062dec --- /dev/null +++ b/data/generated/tldr/docker.md @@ -0,0 +1,7 @@ +# docker + +> Run and manage containers. + +- Run docker: + +`docker --help` diff --git a/data/generated/tldr/dos2unix.md b/data/generated/tldr/dos2unix.md new file mode 100644 index 0000000..31e859f --- /dev/null +++ b/data/generated/tldr/dos2unix.md @@ -0,0 +1,7 @@ +# dos2unix + +> Convert text files with Windows or macOS line breaks to Unix line breaks and vice versa. + +- Run dos2unix: + +`dos2unix --help` diff --git a/data/generated/tldr/dotnetfile.md b/data/generated/tldr/dotnetfile.md new file mode 100644 index 0000000..b8e0fba --- /dev/null +++ b/data/generated/tldr/dotnetfile.md @@ -0,0 +1,7 @@ +# dotnetfile + +> Analyze static properties of. + +- Run dotnetfile: + +`dotnetfile --help` diff --git a/data/generated/tldr/droidlysis.md b/data/generated/tldr/droidlysis.md new file mode 100644 index 0000000..91ee463 --- /dev/null +++ b/data/generated/tldr/droidlysis.md @@ -0,0 +1,7 @@ +# droidlysis + +> Perform static analysis of Android applications. + +- Run droidlysis: + +`droidlysis --help` diff --git a/data/generated/tldr/emldump.py.md b/data/generated/tldr/emldump.py.md new file mode 100644 index 0000000..3ce640b --- /dev/null +++ b/data/generated/tldr/emldump.py.md @@ -0,0 +1,7 @@ +# emldump.py + +> Parse and analyze EML email message files + +- Run emldump.py: + +`emldump.py message.eml` diff --git a/data/generated/tldr/epic-irc-client.md b/data/generated/tldr/epic-irc-client.md new file mode 100644 index 0000000..04438d6 --- /dev/null +++ b/data/generated/tldr/epic-irc-client.md @@ -0,0 +1,7 @@ +# EPIC IRC Client + +> Examine IRC activities with this IRC client. + +- Run EPIC IRC Client: + +`EPIC IRC Client --help` diff --git a/data/generated/tldr/evilclippy.md b/data/generated/tldr/evilclippy.md new file mode 100644 index 0000000..a710f32 --- /dev/null +++ b/data/generated/tldr/evilclippy.md @@ -0,0 +1,7 @@ +# evilclippy + +> Remove VBA project password protection and manipulate Office macro settings + +- Run evilclippy: + +`evilclippy -uu document.docm` diff --git a/data/generated/tldr/evince.md b/data/generated/tldr/evince.md new file mode 100644 index 0000000..5f49eec --- /dev/null +++ b/data/generated/tldr/evince.md @@ -0,0 +1,7 @@ +# evince + +> View documents in a variety of formats, including PDF. + +- Run evince: + +`evince --help` diff --git a/data/generated/tldr/ex-pe-xor.md b/data/generated/tldr/ex-pe-xor.md new file mode 100644 index 0000000..4f16fe5 --- /dev/null +++ b/data/generated/tldr/ex-pe-xor.md @@ -0,0 +1,7 @@ +# ex-pe-xor + +> Search an XOR'ed file for indications of executable binaries. + +- Run ex-pe-xor: + +`ex-pe-xor --help` diff --git a/data/generated/tldr/exiftool.md b/data/generated/tldr/exiftool.md new file mode 100644 index 0000000..26cd8d4 --- /dev/null +++ b/data/generated/tldr/exiftool.md @@ -0,0 +1,11 @@ +# exiftool + +> Extract metadata from files (PDF, images, documents, executables) + +- Run exiftool: + +`exiftool document.pdf` + +- Run exiftool: + +`exiftool specimen.exe` diff --git a/data/generated/tldr/fakedns.md b/data/generated/tldr/fakedns.md new file mode 100644 index 0000000..b493990 --- /dev/null +++ b/data/generated/tldr/fakedns.md @@ -0,0 +1,7 @@ +# fakedns + +> Fake DNS server that resolves all queries to a specified IP for traffic interception + +- Run fakedns: + +`fakedns` diff --git a/data/generated/tldr/fakemail.md b/data/generated/tldr/fakemail.md new file mode 100644 index 0000000..2a6cc50 --- /dev/null +++ b/data/generated/tldr/fakemail.md @@ -0,0 +1,7 @@ +# fakemail + +> Intercept and examine SMTP email activity with this fake SMTP server. + +- Run fakemail: + +`fakemail --help` diff --git a/data/generated/tldr/fakenet-ng.md b/data/generated/tldr/fakenet-ng.md new file mode 100644 index 0000000..b58e97b --- /dev/null +++ b/data/generated/tldr/fakenet-ng.md @@ -0,0 +1,11 @@ +# fakenet-ng + +> Emulate network services (HTTP, DNS, SMTP, FTP) to intercept and analyze malware traffic dynamically + +- Run fakenet-ng: + +`fakenet` + +- Run fakenet-ng: + +`fakenet -c custom_config.ini` diff --git a/data/generated/tldr/feh.md b/data/generated/tldr/feh.md new file mode 100644 index 0000000..4744bda --- /dev/null +++ b/data/generated/tldr/feh.md @@ -0,0 +1,7 @@ +# feh + +> Lightweight image viewer for viewing extracted images from documents + +- Run feh: + +`feh extracted_image.jpg` diff --git a/data/generated/tldr/file-magic.py.md b/data/generated/tldr/file-magic.py.md new file mode 100644 index 0000000..d54a011 --- /dev/null +++ b/data/generated/tldr/file-magic.py.md @@ -0,0 +1,7 @@ +# file-magic.py + +> Identify file types using the Python magic module. + +- Run file-magic.py: + +`file-magic.py --help` diff --git a/data/generated/tldr/file.md b/data/generated/tldr/file.md new file mode 100644 index 0000000..d794d8e --- /dev/null +++ b/data/generated/tldr/file.md @@ -0,0 +1,11 @@ +# file + +> Determine file type and MIME type using magic bytes + +- Run file: + +`file specimen.exe` + +- Run file: + +`file document.doc` diff --git a/data/generated/tldr/firefox.md b/data/generated/tldr/firefox.md new file mode 100644 index 0000000..63e621b --- /dev/null +++ b/data/generated/tldr/firefox.md @@ -0,0 +1,7 @@ +# firefox + +> Web browser. + +- Run firefox: + +`firefox --help` diff --git a/data/generated/tldr/floss.md b/data/generated/tldr/floss.md new file mode 100644 index 0000000..8294a03 --- /dev/null +++ b/data/generated/tldr/floss.md @@ -0,0 +1,15 @@ +# FLOSS + +> Automatically extract obfuscated strings from malware using static analysis, stack strings, and emulation + +- Run FLOSS: + +`floss specimen.exe` + +- Run FLOSS: + +`floss specimen.exe > strings-output.txt` + +- Run FLOSS: + +`floss --no-static -- specimen.exe` diff --git a/data/generated/tldr/format-bytes.py.md b/data/generated/tldr/format-bytes.py.md new file mode 100644 index 0000000..3c13236 --- /dev/null +++ b/data/generated/tldr/format-bytes.py.md @@ -0,0 +1,7 @@ +# format-bytes.py + +> Decompose structured binary data with format strings. + +- Run format-bytes.py: + +`format-bytes.py --help` diff --git a/data/generated/tldr/frida.md b/data/generated/tldr/frida.md new file mode 100644 index 0000000..e3bdda2 --- /dev/null +++ b/data/generated/tldr/frida.md @@ -0,0 +1,15 @@ +# Frida + +> Dynamic instrumentation toolkit — hook and trace running processes, intercept function calls in real time + +- Run Frida: + +`frida -l hook.js ` + +- Run Frida: + +`frida-trace -i 'recv*' ` + +- Run Frida: + +`frida-ps -U` diff --git a/data/generated/tldr/ghidra.md b/data/generated/tldr/ghidra.md new file mode 100644 index 0000000..2e39dba --- /dev/null +++ b/data/generated/tldr/ghidra.md @@ -0,0 +1,7 @@ +# Ghidra + +> Open-source disassembler and decompiler from NSA with scripting, function graphs, and data type management + +- Run Ghidra: + +`ghidra` diff --git a/data/generated/tldr/ghidrassistmcp.md b/data/generated/tldr/ghidrassistmcp.md new file mode 100644 index 0000000..4b1a09c --- /dev/null +++ b/data/generated/tldr/ghidrassistmcp.md @@ -0,0 +1,7 @@ +# GhidrAssistMCP + +> MCP server for AI-assisted reverse engineering in Ghidra. + +- Run GhidrAssistMCP: + +`GhidrAssistMCP --help` diff --git a/data/generated/tldr/gnome-calculator.md b/data/generated/tldr/gnome-calculator.md new file mode 100644 index 0000000..fcbcb5c --- /dev/null +++ b/data/generated/tldr/gnome-calculator.md @@ -0,0 +1,7 @@ +# GNOME Calculator + +> Calculator. + +- Run GNOME Calculator: + +`GNOME Calculator --help` diff --git a/data/generated/tldr/gnu-wget.md b/data/generated/tldr/gnu-wget.md new file mode 100644 index 0000000..e9bae51 --- /dev/null +++ b/data/generated/tldr/gnu-wget.md @@ -0,0 +1,7 @@ +# GNU Wget + +> Interact with servers via HTTP, HTTPS, FTP, and FTPS using this command-line tool. + +- Run GNU Wget: + +`GNU Wget --help` diff --git a/data/generated/tldr/goresym.md b/data/generated/tldr/goresym.md new file mode 100644 index 0000000..5a7ada3 --- /dev/null +++ b/data/generated/tldr/goresym.md @@ -0,0 +1,7 @@ +# goresym + +> Extract metadata and symbols from Go binaries, including stripped ones. + +- Run goresym: + +`goresym --help` diff --git a/data/generated/tldr/gunzip.md b/data/generated/tldr/gunzip.md new file mode 100644 index 0000000..b1e0f5b --- /dev/null +++ b/data/generated/tldr/gunzip.md @@ -0,0 +1,7 @@ +# gunzip + +> Decompress gzip-compressed data (often used in multi-stage payload extraction) + +- Run gunzip: + +`gunzip -c compressed.gz > output.bin` diff --git a/data/generated/tldr/hachoir.md b/data/generated/tldr/hachoir.md new file mode 100644 index 0000000..ddc5e23 --- /dev/null +++ b/data/generated/tldr/hachoir.md @@ -0,0 +1,7 @@ +# Hachoir + +> View, edit, and carve contents of various binary file types. + +- Run Hachoir: + +`Hachoir --help` diff --git a/data/generated/tldr/hash-id.md b/data/generated/tldr/hash-id.md new file mode 100644 index 0000000..a48600a --- /dev/null +++ b/data/generated/tldr/hash-id.md @@ -0,0 +1,7 @@ +# Hash ID + +> Identify different types of hashes. + +- Run Hash ID: + +`Hash ID --help` diff --git a/data/generated/tldr/hex-to-bin.py.md b/data/generated/tldr/hex-to-bin.py.md new file mode 100644 index 0000000..444a8e1 --- /dev/null +++ b/data/generated/tldr/hex-to-bin.py.md @@ -0,0 +1,7 @@ +# hex-to-bin.py + +> Convert hexadecimal text dumps to binary data. + +- Run hex-to-bin.py: + +`hex-to-bin.py --help` diff --git a/data/generated/tldr/hexdump.md b/data/generated/tldr/hexdump.md new file mode 100644 index 0000000..05076ed --- /dev/null +++ b/data/generated/tldr/hexdump.md @@ -0,0 +1,7 @@ +# hexdump + +> Display file content in hexadecimal format + +- Run hexdump: + +`hexdump -C binary.dat` diff --git a/data/generated/tldr/httpd.md b/data/generated/tldr/httpd.md new file mode 100644 index 0000000..ba3ef86 --- /dev/null +++ b/data/generated/tldr/httpd.md @@ -0,0 +1,7 @@ +# httpd + +> Simple HTTP server on REMnux for simulating C2 web servers + +- Run httpd: + +`httpd` diff --git a/data/generated/tldr/ibus.md b/data/generated/tldr/ibus.md new file mode 100644 index 0000000..fbb2cfc --- /dev/null +++ b/data/generated/tldr/ibus.md @@ -0,0 +1,7 @@ +# ibus + +> Adjust input methods for the GUI. + +- Run ibus: + +`ibus --help` diff --git a/data/generated/tldr/ilspy.md b/data/generated/tldr/ilspy.md new file mode 100644 index 0000000..677f06a --- /dev/null +++ b/data/generated/tldr/ilspy.md @@ -0,0 +1,7 @@ +# ILSpy + +> .NET assembly decompiler — view C#/VB.NET source from compiled .NET binaries + +- Run ILSpy: + +`ILSpy.exe assembly.exe` diff --git a/data/generated/tldr/ilspycmd.md b/data/generated/tldr/ilspycmd.md new file mode 100644 index 0000000..346fcef --- /dev/null +++ b/data/generated/tldr/ilspycmd.md @@ -0,0 +1,7 @@ +# ilspycmd + +> Command-line .NET decompiler (CLI version of ILSpy) + +- Run ilspycmd: + +`ilspycmd assembly.exe > decompiled.cs` diff --git a/data/generated/tldr/imagemagick.md b/data/generated/tldr/imagemagick.md new file mode 100644 index 0000000..a786f73 --- /dev/null +++ b/data/generated/tldr/imagemagick.md @@ -0,0 +1,7 @@ +# imagemagick + +> View and manipulate image and related files. + +- Run imagemagick: + +`imagemagick --help` diff --git a/data/generated/tldr/inetsim.md b/data/generated/tldr/inetsim.md new file mode 100644 index 0000000..8b97577 --- /dev/null +++ b/data/generated/tldr/inetsim.md @@ -0,0 +1,7 @@ +# INetSim + +> Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for malware analysis in isolated labs + +- Run INetSim: + +`inetsim` diff --git a/data/generated/tldr/inspircd.md b/data/generated/tldr/inspircd.md new file mode 100644 index 0000000..2005376 --- /dev/null +++ b/data/generated/tldr/inspircd.md @@ -0,0 +1,7 @@ +# inspircd + +> Examine IRC activity with this IRC server. + +- Run inspircd: + +`inspircd --help` diff --git a/data/generated/tldr/ioc-parser.md b/data/generated/tldr/ioc-parser.md new file mode 100644 index 0000000..8e9a1d3 --- /dev/null +++ b/data/generated/tldr/ioc-parser.md @@ -0,0 +1,7 @@ +# ioc-parser + +> Extract indicators of compromise (IOCs) from PDF reports and text files + +- Run ioc-parser: + +`ioc_parser ` diff --git a/data/generated/tldr/iptables.md b/data/generated/tldr/iptables.md new file mode 100644 index 0000000..251aa25 --- /dev/null +++ b/data/generated/tldr/iptables.md @@ -0,0 +1,7 @@ +# iptables + +> Linux firewall and NAT tool for redirecting IP-based malware traffic + +- Run iptables: + +`iptables -t nat -A PREROUTING -i ens32 -j REDIRECT` diff --git a/data/generated/tldr/ipwhois.md b/data/generated/tldr/ipwhois.md new file mode 100644 index 0000000..81a8ff8 --- /dev/null +++ b/data/generated/tldr/ipwhois.md @@ -0,0 +1,7 @@ +# ipwhois + +> Retrieve and parse whois data for IP addresses. + +- Run ipwhois: + +`ipwhois --help` diff --git a/data/generated/tldr/jadx.md b/data/generated/tldr/jadx.md new file mode 100644 index 0000000..4ebe7cc --- /dev/null +++ b/data/generated/tldr/jadx.md @@ -0,0 +1,11 @@ +# jadx + +> Decompile Android DEX/APK to Java source code with a GUI or command line + +- Run jadx: + +`jadx -d output/` + +- Run jadx: + +`jadx-gui ` diff --git a/data/generated/tldr/java-idx-parser.md b/data/generated/tldr/java-idx-parser.md new file mode 100644 index 0000000..1c7a212 --- /dev/null +++ b/data/generated/tldr/java-idx-parser.md @@ -0,0 +1,7 @@ +# java-idx-parser + +> Analyze Java IDX files. + +- Run java-idx-parser: + +`java-idx-parser --help` diff --git a/data/generated/tldr/javassist.md b/data/generated/tldr/javassist.md new file mode 100644 index 0000000..a6f4d1f --- /dev/null +++ b/data/generated/tldr/javassist.md @@ -0,0 +1,7 @@ +# Javassist + +> Java bytecode engineering toolkit/library. + +- Run Javassist: + +`Javassist --help` diff --git a/data/generated/tldr/jd-gui-java-decompiler.md b/data/generated/tldr/jd-gui-java-decompiler.md new file mode 100644 index 0000000..0d69d87 --- /dev/null +++ b/data/generated/tldr/jd-gui-java-decompiler.md @@ -0,0 +1,7 @@ +# JD-GUI Java Decompiler + +> Java decompiler with GUI. + +- Run JD-GUI Java Decompiler: + +`JD-GUI Java Decompiler --help` diff --git a/data/generated/tldr/jd-gui.md b/data/generated/tldr/jd-gui.md new file mode 100644 index 0000000..4a3679f --- /dev/null +++ b/data/generated/tldr/jd-gui.md @@ -0,0 +1,7 @@ +# jd-gui + +> Visual Java decompiler with GUI — browse and search decompiled JAR/class files + +- Run jd-gui: + +`jd-gui ` diff --git a/data/generated/tldr/jq.md b/data/generated/tldr/jq.md new file mode 100644 index 0000000..fc3d057 --- /dev/null +++ b/data/generated/tldr/jq.md @@ -0,0 +1,11 @@ +# jq + +> Command-line JSON processor for extracting and transforming structured data + +- Run jq: + +`cat report.json | jq '.apis'` + +- Run jq: + +`jq -r '.entry' report.json` diff --git a/data/generated/tldr/js-beautify.md b/data/generated/tldr/js-beautify.md new file mode 100644 index 0000000..4ec6d6d --- /dev/null +++ b/data/generated/tldr/js-beautify.md @@ -0,0 +1,7 @@ +# js-beautify + +> Format and beautify obfuscated JavaScript code for readability + +- Run js-beautify: + +`js-beautify malicious.js > beautified.js` diff --git a/data/generated/tldr/jstillery.md b/data/generated/tldr/jstillery.md new file mode 100644 index 0000000..c073a65 --- /dev/null +++ b/data/generated/tldr/jstillery.md @@ -0,0 +1,7 @@ +# jstillery + +> Deobfuscate JavaScript scripts using AST and Partial Evaluation techniques. + +- Run jstillery: + +`jstillery --help` diff --git a/data/generated/tldr/libemu.md b/data/generated/tldr/libemu.md new file mode 100644 index 0000000..69c8ff2 --- /dev/null +++ b/data/generated/tldr/libemu.md @@ -0,0 +1,7 @@ +# libemu + +> A library for x86 code emulation and shellcode detection. + +- Run libemu: + +`libemu --help` diff --git a/data/generated/tldr/libolecf.md b/data/generated/tldr/libolecf.md new file mode 100644 index 0000000..0cb1bc7 --- /dev/null +++ b/data/generated/tldr/libolecf.md @@ -0,0 +1,7 @@ +# libolecf + +> Microsoft Office OLE2 compound documents. + +- Run libolecf: + +`libolecf --help` diff --git a/data/generated/tldr/lief.md b/data/generated/tldr/lief.md new file mode 100644 index 0000000..455e32d --- /dev/null +++ b/data/generated/tldr/lief.md @@ -0,0 +1,7 @@ +# lief + +> Parse and analyze PE, ELF, MachO, DEX, OAT, VDEX, ART, and DWARF executable formats. + +- Run lief: + +`lief --help` diff --git a/data/generated/tldr/magika.md b/data/generated/tldr/magika.md new file mode 100644 index 0000000..1286be9 --- /dev/null +++ b/data/generated/tldr/magika.md @@ -0,0 +1,7 @@ +# magika + +> Identify file type using signatures. + +- Run magika: + +`magika --help` diff --git a/data/generated/tldr/mail-parser.md b/data/generated/tldr/mail-parser.md new file mode 100644 index 0000000..3739019 --- /dev/null +++ b/data/generated/tldr/mail-parser.md @@ -0,0 +1,7 @@ +# mail-parser + +> Parse raw SMTP email messages and extract headers, body, and attachments + +- Run mail-parser: + +`python3 -c "import mailparser; mail = mailparser.parse_from_file(''); print(mail.subject)"` diff --git a/data/generated/tldr/malcat-lite.md b/data/generated/tldr/malcat-lite.md new file mode 100644 index 0000000..441998f --- /dev/null +++ b/data/generated/tldr/malcat-lite.md @@ -0,0 +1,7 @@ +# Malcat Lite + +> Analyze binary files using a hex editor, disassembler, and file dissector. + +- Run Malcat Lite: + +`Malcat Lite --help` diff --git a/data/generated/tldr/malchive.md b/data/generated/tldr/malchive.md new file mode 100644 index 0000000..d23cfc1 --- /dev/null +++ b/data/generated/tldr/malchive.md @@ -0,0 +1,7 @@ +# Malchive + +> Multi-purpose malware analysis library — config extraction, deobfuscation, and static analysis + +- Run Malchive: + +`malchive ` diff --git a/data/generated/tldr/malwoverview.md b/data/generated/tldr/malwoverview.md new file mode 100644 index 0000000..5aa5f7c --- /dev/null +++ b/data/generated/tldr/malwoverview.md @@ -0,0 +1,11 @@ +# malwoverview + +> Query VirusTotal, Hybrid Analysis, and MalwareBazaar for malware intelligence + +- Run malwoverview: + +`malwoverview -v ` + +- Run malwoverview: + +`malwoverview -f ` diff --git a/data/generated/tldr/mbcscan.md b/data/generated/tldr/mbcscan.md new file mode 100644 index 0000000..d9a83fb --- /dev/null +++ b/data/generated/tldr/mbcscan.md @@ -0,0 +1,7 @@ +# mbcscan + +> Scan a PE file to list the associated Malware Behavior Catalog (MBC) details. + +- Run mbcscan: + +`mbcscan --help` diff --git a/data/generated/tldr/mitmproxy.md b/data/generated/tldr/mitmproxy.md new file mode 100644 index 0000000..fb37081 --- /dev/null +++ b/data/generated/tldr/mitmproxy.md @@ -0,0 +1,15 @@ +# mitmproxy + +> Interactive HTTPS proxy for intercepting, inspecting, and modifying encrypted web traffic + +- Run mitmproxy: + +`mitmproxy` + +- Run mitmproxy: + +`mitmdump -w capture.flow` + +- Run mitmproxy: + +`mitmproxy --mode transparent` diff --git a/data/generated/tldr/monodis.md b/data/generated/tldr/monodis.md new file mode 100644 index 0000000..7969e73 --- /dev/null +++ b/data/generated/tldr/monodis.md @@ -0,0 +1,7 @@ +# monodis + +> Disassemble and extract resources from. + +- Run monodis: + +`monodis --help` diff --git a/data/generated/tldr/msg-extractor.md b/data/generated/tldr/msg-extractor.md new file mode 100644 index 0000000..8b98af0 --- /dev/null +++ b/data/generated/tldr/msg-extractor.md @@ -0,0 +1,11 @@ +# msg-extractor + +> Extract emails and attachments from Microsoft Outlook MSG files + +- Run msg-extractor: + +`extract_msg ` + +- Run msg-extractor: + +`extract_msg --out-dir output/ ` diff --git a/data/generated/tldr/msgconvert.md b/data/generated/tldr/msgconvert.md new file mode 100644 index 0000000..18de105 --- /dev/null +++ b/data/generated/tldr/msgconvert.md @@ -0,0 +1,7 @@ +# msgconvert + +> Convert MSG files to MBOX files. + +- Run msgconvert: + +`msgconvert --help` diff --git a/data/generated/tldr/msitools.md b/data/generated/tldr/msitools.md new file mode 100644 index 0000000..0f8f40c --- /dev/null +++ b/data/generated/tldr/msitools.md @@ -0,0 +1,7 @@ +# msitools + +> Create, inspect and extract Windows Installer (. + +- Run msitools: + +`msitools --help` diff --git a/data/generated/tldr/msoffcrypto-crack.py.md b/data/generated/tldr/msoffcrypto-crack.py.md new file mode 100644 index 0000000..8f85505 --- /dev/null +++ b/data/generated/tldr/msoffcrypto-crack.py.md @@ -0,0 +1,7 @@ +# msoffcrypto-crack.py + +> Recover the password of an encrypted Microsoft Office document. + +- Run msoffcrypto-crack.py: + +`msoffcrypto-crack.py --help` diff --git a/data/generated/tldr/msoffcrypto-tool.md b/data/generated/tldr/msoffcrypto-tool.md new file mode 100644 index 0000000..b3b3f47 --- /dev/null +++ b/data/generated/tldr/msoffcrypto-tool.md @@ -0,0 +1,11 @@ +# msoffcrypto-tool + +> Decrypt password-protected Microsoft Office documents (OLE and OOXML) + +- Run msoffcrypto-tool: + +`msoffcrypto-tool -p infected ` + +- Run msoffcrypto-tool: + +`msoffcrypto-tool -p password ` diff --git a/data/generated/tldr/msoffice-crypt.md b/data/generated/tldr/msoffice-crypt.md new file mode 100644 index 0000000..d8da1a4 --- /dev/null +++ b/data/generated/tldr/msoffice-crypt.md @@ -0,0 +1,7 @@ +# msoffice-crypt + +> Encrypt and decrypt OOXML Microsoft Office documents. + +- Run msoffice-crypt: + +`msoffice-crypt --help` diff --git a/data/generated/tldr/myip.md b/data/generated/tldr/myip.md new file mode 100644 index 0000000..f6815d6 --- /dev/null +++ b/data/generated/tldr/myip.md @@ -0,0 +1,7 @@ +# myip + +> Determine the IP address of the default network interface. + +- Run myip: + +`myip --help` diff --git a/data/generated/tldr/myjson-filter.py.md b/data/generated/tldr/myjson-filter.py.md new file mode 100644 index 0000000..3c8865f --- /dev/null +++ b/data/generated/tldr/myjson-filter.py.md @@ -0,0 +1,7 @@ +# myjson-filter.py + +> Filter data formatted using the JSON format used by Didier Stevens' tools. + +- Run myjson-filter.py: + +`myjson-filter.py --help` diff --git a/data/generated/tldr/name-that-hash.md b/data/generated/tldr/name-that-hash.md new file mode 100644 index 0000000..8519273 --- /dev/null +++ b/data/generated/tldr/name-that-hash.md @@ -0,0 +1,7 @@ +# name-that-hash + +> Identify dfferent types of hashes. + +- Run name-that-hash: + +`name-that-hash --help` diff --git a/data/generated/tldr/nasm.md b/data/generated/tldr/nasm.md new file mode 100644 index 0000000..23b6a7a --- /dev/null +++ b/data/generated/tldr/nasm.md @@ -0,0 +1,7 @@ +# nasm + +> An x86-64 assembler. + +- Run nasm: + +`nasm --help` diff --git a/data/generated/tldr/nautilus.md b/data/generated/tldr/nautilus.md new file mode 100644 index 0000000..310d3bd --- /dev/null +++ b/data/generated/tldr/nautilus.md @@ -0,0 +1,7 @@ +# nautilus + +> Graphical file manager. + +- Run nautilus: + +`nautilus --help` diff --git a/data/generated/tldr/nc.md b/data/generated/tldr/nc.md new file mode 100644 index 0000000..7b16e13 --- /dev/null +++ b/data/generated/tldr/nc.md @@ -0,0 +1,11 @@ +# nc + +> Network utility for reading/writing data across TCP/UDP connections + +- Run nc: + +`nc -l -p 3127` + +- Run nc: + +`nc target_ip 80` diff --git a/data/generated/tldr/network-miner-free-edition.md b/data/generated/tldr/network-miner-free-edition.md new file mode 100644 index 0000000..4109138 --- /dev/null +++ b/data/generated/tldr/network-miner-free-edition.md @@ -0,0 +1,7 @@ +# Network Miner Free Edition + +> Examine network traffic and carve PCAP capture files. + +- Run Network Miner Free Edition: + +`Network Miner Free Edition --help` diff --git a/data/generated/tldr/networkminer.md b/data/generated/tldr/networkminer.md new file mode 100644 index 0000000..c60a6b7 --- /dev/null +++ b/data/generated/tldr/networkminer.md @@ -0,0 +1,7 @@ +# networkminer + +> Passive network traffic analyzer — extracts files, images, credentials from PCAP captures + +- Run networkminer: + +`NetworkMiner --pcap ` diff --git a/data/generated/tldr/nginx.md b/data/generated/tldr/nginx.md new file mode 100644 index 0000000..2095b0d --- /dev/null +++ b/data/generated/tldr/nginx.md @@ -0,0 +1,7 @@ +# nginx + +> Web server. + +- Run nginx: + +`nginx --help` diff --git a/data/generated/tldr/ngrep.md b/data/generated/tldr/ngrep.md new file mode 100644 index 0000000..55fe6d2 --- /dev/null +++ b/data/generated/tldr/ngrep.md @@ -0,0 +1,11 @@ +# ngrep + +> Search network traffic for patterns — like grep for packets + +- Run ngrep: + +`ngrep -I 'password'` + +- Run ngrep: + +`ngrep -d eth0 'GET|POST' 'tcp port 80'` diff --git a/data/generated/tldr/nomorexor.md b/data/generated/tldr/nomorexor.md new file mode 100644 index 0000000..9c77fbd --- /dev/null +++ b/data/generated/tldr/nomorexor.md @@ -0,0 +1,7 @@ +# nomorexor + +> Help guess a file's 256-byte XOR by using frequency analysis. + +- Run nomorexor: + +`nomorexor --help` diff --git a/data/generated/tldr/nslookup.md b/data/generated/tldr/nslookup.md new file mode 100644 index 0000000..52693fe --- /dev/null +++ b/data/generated/tldr/nslookup.md @@ -0,0 +1,7 @@ +# nslookup + +> DNS query tool for testing name resolution + +- Run nslookup: + +`nslookup domain.com` diff --git a/data/generated/tldr/nsrllookup.md b/data/generated/tldr/nsrllookup.md new file mode 100644 index 0000000..d6f095e --- /dev/null +++ b/data/generated/tldr/nsrllookup.md @@ -0,0 +1,7 @@ +# nsrllookup + +> Look up MD5 file hashes in the NIST National Software Reference Library (NSRL). + +- Run nsrllookup: + +`nsrllookup --help` diff --git a/data/generated/tldr/numbers-to-string.py.md b/data/generated/tldr/numbers-to-string.py.md new file mode 100644 index 0000000..ad9ffca --- /dev/null +++ b/data/generated/tldr/numbers-to-string.py.md @@ -0,0 +1,7 @@ +# numbers-to-string.py + +> Convert sequences of decimal numbers to readable characters + +- Run numbers-to-string.py: + +`oledump.py doc.docm -s A3 -v | numbers-to-string.py -j` diff --git a/data/generated/tldr/objdump.md b/data/generated/tldr/objdump.md new file mode 100644 index 0000000..f73309d --- /dev/null +++ b/data/generated/tldr/objdump.md @@ -0,0 +1,7 @@ +# objdump + +> Disassemble binary files. + +- Run objdump: + +`objdump --help` diff --git a/data/generated/tldr/objects.js.md b/data/generated/tldr/objects.js.md new file mode 100644 index 0000000..ab11552 --- /dev/null +++ b/data/generated/tldr/objects.js.md @@ -0,0 +1,7 @@ +# objects.js + +> Emulate common browser and PDF viewer objects, methods, and properties when deobfuscating JavaScript. + +- Run objects.js: + +`objects.js --help` diff --git a/data/generated/tldr/oledump.py.md b/data/generated/tldr/oledump.py.md new file mode 100644 index 0000000..2c77070 --- /dev/null +++ b/data/generated/tldr/oledump.py.md @@ -0,0 +1,15 @@ +# oledump.py + +> Analyze OLE2 files (Office documents), extract streams and VBA macros + +- Run oledump.py: + +`oledump.py document.docm` + +- Run oledump.py: + +`oledump.py document.docm -s A3 -v` + +- Run oledump.py: + +`oledump.py document.docm -i` diff --git a/data/generated/tldr/olefile.md b/data/generated/tldr/olefile.md new file mode 100644 index 0000000..6197939 --- /dev/null +++ b/data/generated/tldr/olefile.md @@ -0,0 +1,7 @@ +# olefile + +> Python package to parse, read and write MS OLE2 files. + +- Run olefile: + +`olefile --help` diff --git a/data/generated/tldr/olevba.md b/data/generated/tldr/olevba.md new file mode 100644 index 0000000..0fcb4b4 --- /dev/null +++ b/data/generated/tldr/olevba.md @@ -0,0 +1,11 @@ +# olevba + +> Extract and analyze VBA macros from Office documents with deobfuscation + +- Run olevba: + +`olevba document.docm` + +- Run olevba: + +`olevba --deobf document.docm` diff --git a/data/generated/tldr/onedump.py.md b/data/generated/tldr/onedump.py.md new file mode 100644 index 0000000..ac12469 --- /dev/null +++ b/data/generated/tldr/onedump.py.md @@ -0,0 +1,7 @@ +# onedump.py + +> Extract and analyze embedded files from OneNote documents. + +- Run onedump.py: + +`onedump.py --help` diff --git a/data/generated/tldr/opencode.md b/data/generated/tldr/opencode.md new file mode 100644 index 0000000..2dd841f --- /dev/null +++ b/data/generated/tldr/opencode.md @@ -0,0 +1,7 @@ +# opencode + +> Open-source AI coding agent for the terminal. + +- Run opencode: + +`opencode --help` diff --git a/data/generated/tldr/openssh.md b/data/generated/tldr/openssh.md new file mode 100644 index 0000000..dbf1ac3 --- /dev/null +++ b/data/generated/tldr/openssh.md @@ -0,0 +1,7 @@ +# openssh + +> Initiate and receive SSH and SFTP connections. + +- Run openssh: + +`openssh --help` diff --git a/data/generated/tldr/origamindee.md b/data/generated/tldr/origamindee.md new file mode 100644 index 0000000..93f7035 --- /dev/null +++ b/data/generated/tldr/origamindee.md @@ -0,0 +1,7 @@ +# origamindee + +> Parse, modify, generate PDF files. + +- Run origamindee: + +`origamindee --help` diff --git a/data/generated/tldr/pcode2code.md b/data/generated/tldr/pcode2code.md new file mode 100644 index 0000000..7471fcd --- /dev/null +++ b/data/generated/tldr/pcode2code.md @@ -0,0 +1,7 @@ +# pcode2code + +> Decompile VBA p-code from Office documents — works even when VBA source is removed + +- Run pcode2code: + +`pcode2code ` diff --git a/data/generated/tldr/pcodedmp.md b/data/generated/tldr/pcodedmp.md new file mode 100644 index 0000000..1f617b9 --- /dev/null +++ b/data/generated/tldr/pcodedmp.md @@ -0,0 +1,7 @@ +# pcodedmp + +> Disassemble VBA p-code. + +- Run pcodedmp: + +`pcodedmp --help` diff --git a/data/generated/tldr/pdf-parser.py.md b/data/generated/tldr/pdf-parser.py.md new file mode 100644 index 0000000..8d242a8 --- /dev/null +++ b/data/generated/tldr/pdf-parser.py.md @@ -0,0 +1,19 @@ +# pdf-parser.py + +> Parse PDF structure, locate objects, extract content, and search for strings + +- Run pdf-parser.py: + +`pdf-parser.py document.pdf -a` + +- Run pdf-parser.py: + +`pdf-parser.py document.pdf -s /URI` + +- Run pdf-parser.py: + +`pdf-parser.py document.pdf -k /URI` + +- Run pdf-parser.py: + +`pdf-parser.py document.pdf -o 6 -d object6.jpg` diff --git a/data/generated/tldr/pdfid.py.md b/data/generated/tldr/pdfid.py.md new file mode 100644 index 0000000..2cf411e --- /dev/null +++ b/data/generated/tldr/pdfid.py.md @@ -0,0 +1,11 @@ +# pdfid.py + +> Scan PDF files for suspicious keywords like /JavaScript, /OpenAction, /Launch without parsing + +- Run pdfid.py: + +`pdfid.py document.pdf` + +- Run pdfid.py: + +`pdfid.py -n document.pdf` diff --git a/data/generated/tldr/pdfresurrect.md b/data/generated/tldr/pdfresurrect.md new file mode 100644 index 0000000..148c198 --- /dev/null +++ b/data/generated/tldr/pdfresurrect.md @@ -0,0 +1,7 @@ +# pdfresurrect + +> Extract and analyze previous versions from PDF files + +- Run pdfresurrect: + +`pdfresurrect document.pdf` diff --git a/data/generated/tldr/pdftk.md b/data/generated/tldr/pdftk.md new file mode 100644 index 0000000..eea7751 --- /dev/null +++ b/data/generated/tldr/pdftk.md @@ -0,0 +1,11 @@ +# pdftk + +> Manipulate PDF files — merge, split, flatten, encrypt, and extract embedded content + +- Run pdftk: + +`pdftk input.pdf cat output output.pdf flatten` + +- Run pdftk: + +`pdftk input.pdf unpack_files` diff --git a/data/generated/tldr/pdftool.py.md b/data/generated/tldr/pdftool.py.md new file mode 100644 index 0000000..cf6ac0a --- /dev/null +++ b/data/generated/tldr/pdftool.py.md @@ -0,0 +1,7 @@ +# pdftool.py + +> Analyze PDF incremental updates + +- Run pdftool.py: + +`pdftool.py document.pdf` diff --git a/data/generated/tldr/pdnstool.md b/data/generated/tldr/pdnstool.md new file mode 100644 index 0000000..fdc8c8b --- /dev/null +++ b/data/generated/tldr/pdnstool.md @@ -0,0 +1,7 @@ +# pdnstool + +> Query passive DNS databases for DNS data. + +- Run pdnstool: + +`pdnstool --help` diff --git a/data/generated/tldr/peepdf.md b/data/generated/tldr/peepdf.md new file mode 100644 index 0000000..9219600 --- /dev/null +++ b/data/generated/tldr/peepdf.md @@ -0,0 +1,11 @@ +# peepdf + +> Interactive PDF analysis framework with JavaScript detection and exploitation capabilities + +- Run peepdf: + +`peepdf -i malicious.pdf` + +- Run peepdf: + +`peepdf -f -i malicious.pdf` diff --git a/data/generated/tldr/peframe.md b/data/generated/tldr/peframe.md new file mode 100644 index 0000000..458ec6d --- /dev/null +++ b/data/generated/tldr/peframe.md @@ -0,0 +1,7 @@ +# peframe + +> Static analysis of PE files — extract properties, detect anomalies, identify packers + +- Run peframe: + +`peframe specimen.exe` diff --git a/data/generated/tldr/pestr.md b/data/generated/tldr/pestr.md new file mode 100644 index 0000000..9b75412 --- /dev/null +++ b/data/generated/tldr/pestr.md @@ -0,0 +1,7 @@ +# pestr + +> Extract ASCII and Unicode strings from PE files + +- Run pestr: + +`pestr specimen.exe` diff --git a/data/generated/tldr/polarproxy.md b/data/generated/tldr/polarproxy.md new file mode 100644 index 0000000..b85df96 --- /dev/null +++ b/data/generated/tldr/polarproxy.md @@ -0,0 +1,7 @@ +# polarproxy + +> Transparent TLS proxy that decrypts traffic and saves it as PCAP for analysis in Wireshark + +- Run polarproxy: + +`PolarProxy -p 443,80 -w captured.pcap` diff --git a/data/generated/tldr/powershell.md b/data/generated/tldr/powershell.md new file mode 100644 index 0000000..cc8cbb6 --- /dev/null +++ b/data/generated/tldr/powershell.md @@ -0,0 +1,7 @@ +# powershell + +> Run PowerShell scripts and commands. + +- Run powershell: + +`powershell --help` diff --git a/data/generated/tldr/procdot.md b/data/generated/tldr/procdot.md new file mode 100644 index 0000000..b49b5b4 --- /dev/null +++ b/data/generated/tldr/procdot.md @@ -0,0 +1,7 @@ +# ProcDOT + +> Visualize Process Monitor logs as interactive graphs for behavioral analysis + +- Run ProcDOT: + +`procdot` diff --git a/data/generated/tldr/procyon.md b/data/generated/tldr/procyon.md new file mode 100644 index 0000000..03afe7a --- /dev/null +++ b/data/generated/tldr/procyon.md @@ -0,0 +1,7 @@ +# Procyon + +> Java decompiler. + +- Run Procyon: + +`Procyon --help` diff --git a/data/generated/tldr/pyinstaller-extractor.md b/data/generated/tldr/pyinstaller-extractor.md new file mode 100644 index 0000000..eeb498b --- /dev/null +++ b/data/generated/tldr/pyinstaller-extractor.md @@ -0,0 +1,7 @@ +# pyinstaller-extractor + +> Extract contents of a PyInstaller-generated PE files. + +- Run pyinstaller-extractor: + +`pyinstaller-extractor --help` diff --git a/data/generated/tldr/pyinstxtractor-ng.md b/data/generated/tldr/pyinstxtractor-ng.md new file mode 100644 index 0000000..a8149ab --- /dev/null +++ b/data/generated/tldr/pyinstxtractor-ng.md @@ -0,0 +1,7 @@ +# pyinstxtractor-ng + +> Extract contents of PyInstaller-generated executables without needing matching Python version + +- Run pyinstxtractor-ng: + +`pyinstxtractor-ng ` diff --git a/data/generated/tldr/qiling.md b/data/generated/tldr/qiling.md new file mode 100644 index 0000000..b83ea8d --- /dev/null +++ b/data/generated/tldr/qiling.md @@ -0,0 +1,7 @@ +# qiling + +> Multi-platform binary emulation framework — emulate PE, ELF, shellcode across OS/arch combinations + +- Run qiling: + +`python3 -c "from qiling import Qiling; ql = Qiling([''], '/path/to/rootfs')"` diff --git a/data/generated/tldr/qpdf.md b/data/generated/tldr/qpdf.md new file mode 100644 index 0000000..c9efb06 --- /dev/null +++ b/data/generated/tldr/qpdf.md @@ -0,0 +1,7 @@ +# qpdf + +> Decrypt, linearize, and transform PDF files — useful for removing password protection + +- Run qpdf: + +`qpdf --decrypt encrypted.pdf output.pdf` diff --git a/data/generated/tldr/radare2.md b/data/generated/tldr/radare2.md new file mode 100644 index 0000000..14f1e59 --- /dev/null +++ b/data/generated/tldr/radare2.md @@ -0,0 +1,7 @@ +# radare2 + +> Open-source reverse engineering command-line framework + +- Run radare2: + +`r2 specimen.exe` diff --git a/data/generated/tldr/rar.md b/data/generated/tldr/rar.md new file mode 100644 index 0000000..f205637 --- /dev/null +++ b/data/generated/tldr/rar.md @@ -0,0 +1,7 @@ +# rar + +> Extract RAR archives (including self-extracting RAR payloads) + +- Run rar: + +`rar x archive.rar` diff --git a/data/generated/tldr/re-search.py.md b/data/generated/tldr/re-search.py.md new file mode 100644 index 0000000..0dabea5 --- /dev/null +++ b/data/generated/tldr/re-search.py.md @@ -0,0 +1,7 @@ +# re-search.py + +> Search the file for built-in regular expressions of common suspicious artifacts. + +- Run re-search.py: + +`re-search.py --help` diff --git a/data/generated/tldr/redress.md b/data/generated/tldr/redress.md new file mode 100644 index 0000000..585ebda --- /dev/null +++ b/data/generated/tldr/redress.md @@ -0,0 +1,7 @@ +# redress + +> Analyze stripped Go binaries to recover symbols, types, source structure, and integrate with Radare2. + +- Run redress: + +`redress --help` diff --git a/data/generated/tldr/remnux-installer.md b/data/generated/tldr/remnux-installer.md new file mode 100644 index 0000000..63fea3c --- /dev/null +++ b/data/generated/tldr/remnux-installer.md @@ -0,0 +1,7 @@ +# REMnux Installer + +> Install and update the REMnux distro. + +- Run REMnux Installer: + +`REMnux Installer --help` diff --git a/data/generated/tldr/remnux-mcp-server.md b/data/generated/tldr/remnux-mcp-server.md new file mode 100644 index 0000000..e905231 --- /dev/null +++ b/data/generated/tldr/remnux-mcp-server.md @@ -0,0 +1,7 @@ +# remnux-mcp-server + +> MCP server for using the REMnux malware analysis toolkit via AI assistants. + +- Run remnux-mcp-server: + +`remnux-mcp-server --help` diff --git a/data/generated/tldr/rsakeyfinder.md b/data/generated/tldr/rsakeyfinder.md new file mode 100644 index 0000000..591b387 --- /dev/null +++ b/data/generated/tldr/rsakeyfinder.md @@ -0,0 +1,7 @@ +# RSAKeyFinder + +> Find BER-encoded RSA private keys in a memory image. + +- Run RSAKeyFinder: + +`RSAKeyFinder --help` diff --git a/data/generated/tldr/rtfdump.py.md b/data/generated/tldr/rtfdump.py.md new file mode 100644 index 0000000..23e6a75 --- /dev/null +++ b/data/generated/tldr/rtfdump.py.md @@ -0,0 +1,11 @@ +# rtfdump.py + +> Analyze RTF file structure, identify hex-encoded groups and embedded objects + +- Run rtfdump.py: + +`rtfdump.py document.rtf` + +- Run rtfdump.py: + +`rtfdump.py document.rtf -s 5 -H -d > extracted.bin` diff --git a/data/generated/tldr/runsc32.md b/data/generated/tldr/runsc32.md new file mode 100644 index 0000000..88c8934 --- /dev/null +++ b/data/generated/tldr/runsc32.md @@ -0,0 +1,7 @@ +# runsc32 + +> Execute extracted shellcode for dynamic analysis + +- Run runsc32: + +`runsc32 -f shellcode.bin -o 0x3B -d qa.doc` diff --git a/data/generated/tldr/sandfly-processdecloak.md b/data/generated/tldr/sandfly-processdecloak.md new file mode 100644 index 0000000..37cf056 --- /dev/null +++ b/data/generated/tldr/sandfly-processdecloak.md @@ -0,0 +1,7 @@ +# sandfly-processdecloak + +> Find hidden processes on the local Linux system. + +- Run sandfly-processdecloak: + +`sandfly-processdecloak --help` diff --git a/data/generated/tldr/scalpel.md b/data/generated/tldr/scalpel.md new file mode 100644 index 0000000..5a25b37 --- /dev/null +++ b/data/generated/tldr/scalpel.md @@ -0,0 +1,7 @@ +# scalpel + +> Carve contents out of binary files, such as partitions. + +- Run scalpel: + +`scalpel --help` diff --git a/data/generated/tldr/scdbgc.md b/data/generated/tldr/scdbgc.md new file mode 100644 index 0000000..63f8e6b --- /dev/null +++ b/data/generated/tldr/scdbgc.md @@ -0,0 +1,15 @@ +# scdbgc + +> Shellcode emulator — analyze shellcode behavior through API-level emulation + +- Run scdbgc: + +`scdbgc /f shellcode.bin /s -1` + +- Run scdbgc: + +`scdbgc /f shellcode.bin /foff 0x3B /fopen qa.doc` + +- Run scdbgc: + +`scdbgc /f shellcode.bin /s -1 /norw` diff --git a/data/generated/tldr/scite.md b/data/generated/tldr/scite.md new file mode 100644 index 0000000..050baef --- /dev/null +++ b/data/generated/tldr/scite.md @@ -0,0 +1,7 @@ +# scite + +> Edit text files. + +- Run scite: + +`scite --help` diff --git a/data/generated/tldr/sets.py.md b/data/generated/tldr/sets.py.md new file mode 100644 index 0000000..d844017 --- /dev/null +++ b/data/generated/tldr/sets.py.md @@ -0,0 +1,7 @@ +# sets.py + +> Perform set operations on lines or bytes in text files. + +- Run sets.py: + +`sets.py --help` diff --git a/data/generated/tldr/shcode2exe.md b/data/generated/tldr/shcode2exe.md new file mode 100644 index 0000000..3687e3c --- /dev/null +++ b/data/generated/tldr/shcode2exe.md @@ -0,0 +1,7 @@ +# shcode2exe + +> Convert raw shellcode to a Windows PE executable for analysis in disassemblers + +- Run shcode2exe: + +`shcode2exe ` diff --git a/data/generated/tldr/shellcode2exe-bat.md b/data/generated/tldr/shellcode2exe-bat.md new file mode 100644 index 0000000..29e7cb5 --- /dev/null +++ b/data/generated/tldr/shellcode2exe-bat.md @@ -0,0 +1,7 @@ +# shellcode2exe-bat + +> Convert 32 and 64-bit shellcode to a Windows executable file. + +- Run shellcode2exe-bat: + +`shellcode2exe-bat --help` diff --git a/data/generated/tldr/signsrch.md b/data/generated/tldr/signsrch.md new file mode 100644 index 0000000..58b4691 --- /dev/null +++ b/data/generated/tldr/signsrch.md @@ -0,0 +1,7 @@ +# signsrch + +> Find patterns of common encryption, compression, or encoding algorithms. + +- Run signsrch: + +`signsrch --help` diff --git a/data/generated/tldr/sleuth-kit.md b/data/generated/tldr/sleuth-kit.md new file mode 100644 index 0000000..2c354b3 --- /dev/null +++ b/data/generated/tldr/sleuth-kit.md @@ -0,0 +1,7 @@ +# Sleuth Kit + +> Analyze disk images and recover files from them. + +- Run Sleuth Kit: + +`Sleuth Kit --help` diff --git a/data/generated/tldr/sortcanon.py.md b/data/generated/tldr/sortcanon.py.md new file mode 100644 index 0000000..697c544 --- /dev/null +++ b/data/generated/tldr/sortcanon.py.md @@ -0,0 +1,7 @@ +# sortcanon.py + +> Sort text files using canonicalization functions built into this tool. + +- Run sortcanon.py: + +`sortcanon.py --help` diff --git a/data/generated/tldr/speakeasy.md b/data/generated/tldr/speakeasy.md new file mode 100644 index 0000000..7c4d018 --- /dev/null +++ b/data/generated/tldr/speakeasy.md @@ -0,0 +1,11 @@ +# speakeasy + +> Windows binary emulator — emulates API calls to analyze malware behavior without native execution + +- Run speakeasy: + +`speakeasy -t specimen.exe -o report.json 2> report.txt` + +- Run speakeasy: + +`speakeasy -t shellcode.bin -r -a x86` diff --git a/data/generated/tldr/spidermonkey.md b/data/generated/tldr/spidermonkey.md new file mode 100644 index 0000000..71275d1 --- /dev/null +++ b/data/generated/tldr/spidermonkey.md @@ -0,0 +1,11 @@ +# SpiderMonkey + +> Mozilla JavaScript engine — execute and deobfuscate malicious JavaScript outside a browser + +- Run SpiderMonkey: + +`js -f malicious.js` + +- Run SpiderMonkey: + +`js -f /usr/share/remnux/objects.js -f malicious.js > decoded.js` diff --git a/data/generated/tldr/sqlite.md b/data/generated/tldr/sqlite.md new file mode 100644 index 0000000..4530314 --- /dev/null +++ b/data/generated/tldr/sqlite.md @@ -0,0 +1,7 @@ +# SQLite + +> Manage and interact with SQL database files. + +- Run SQLite: + +`SQLite --help` diff --git a/data/generated/tldr/ssdeep.md b/data/generated/tldr/ssdeep.md new file mode 100644 index 0000000..341d942 --- /dev/null +++ b/data/generated/tldr/ssdeep.md @@ -0,0 +1,15 @@ +# ssdeep + +> Compute fuzzy hashes (CTPH) for finding similar files — useful for malware variant clustering + +- Run ssdeep: + +`ssdeep ` + +- Run ssdeep: + +`ssdeep -m ` + +- Run ssdeep: + +`ssdeep -d ` diff --git a/data/generated/tldr/ssview.md b/data/generated/tldr/ssview.md new file mode 100644 index 0000000..6558137 --- /dev/null +++ b/data/generated/tldr/ssview.md @@ -0,0 +1,7 @@ +# ssview + +> Analyze OLE2 Structured Storage files. + +- Run ssview: + +`ssview --help` diff --git a/data/generated/tldr/strdeob.pl.md b/data/generated/tldr/strdeob.pl.md new file mode 100644 index 0000000..04db4eb --- /dev/null +++ b/data/generated/tldr/strdeob.pl.md @@ -0,0 +1,7 @@ +# strdeob.pl + +> Automatically decode stack-built strings from disassembled malware + +- Run strdeob.pl: + +`strdeob.pl specimen.exe` diff --git a/data/generated/tldr/strings.md b/data/generated/tldr/strings.md new file mode 100644 index 0000000..65ab0d9 --- /dev/null +++ b/data/generated/tldr/strings.md @@ -0,0 +1,15 @@ +# strings + +> Extract printable ASCII and Unicode strings from binary files + +- Run strings: + +`strings binary.exe` + +- Run strings: + +`strings -n 10 binary.exe` + +- Run strings: + +`strings --encoding=l binary.exe` diff --git a/data/generated/tldr/tcpdump.md b/data/generated/tldr/tcpdump.md new file mode 100644 index 0000000..3c8598a --- /dev/null +++ b/data/generated/tldr/tcpdump.md @@ -0,0 +1,11 @@ +# tcpdump + +> Command-line packet capture tool + +- Run tcpdump: + +`tcpdump -i eth0 -w capture.pcap` + +- Run tcpdump: + +`tcpdump -r capture.pcap` diff --git a/data/generated/tldr/tcpflow.md b/data/generated/tldr/tcpflow.md new file mode 100644 index 0000000..adbd03c --- /dev/null +++ b/data/generated/tldr/tcpflow.md @@ -0,0 +1,7 @@ +# tcpflow + +> Extract and reassemble TCP streams from PCAP files into individual files + +- Run tcpflow: + +`tcpflow -r -o output/` diff --git a/data/generated/tldr/tcpick.md b/data/generated/tldr/tcpick.md new file mode 100644 index 0000000..f08eda6 --- /dev/null +++ b/data/generated/tldr/tcpick.md @@ -0,0 +1,7 @@ +# tcpick + +> Capture and analyze network traffic with this command-line sniffer. + +- Run tcpick: + +`tcpick --help` diff --git a/data/generated/tldr/tcpxtract.md b/data/generated/tldr/tcpxtract.md new file mode 100644 index 0000000..5f668e8 --- /dev/null +++ b/data/generated/tldr/tcpxtract.md @@ -0,0 +1,7 @@ +# tcpxtract + +> Carve files from network traffic using file signatures + +- Run tcpxtract: + +`tcpxtract -f -o output/` diff --git a/data/generated/tldr/tesseract-ocr.md b/data/generated/tldr/tesseract-ocr.md new file mode 100644 index 0000000..b413b6e --- /dev/null +++ b/data/generated/tldr/tesseract-ocr.md @@ -0,0 +1,7 @@ +# tesseract-ocr + +> Examine images to identify and extract text using optical character recognition (OCR). + +- Run tesseract-ocr: + +`tesseract-ocr --help` diff --git a/data/generated/tldr/texteditor.py.md b/data/generated/tldr/texteditor.py.md new file mode 100644 index 0000000..879f2d6 --- /dev/null +++ b/data/generated/tldr/texteditor.py.md @@ -0,0 +1,7 @@ +# texteditor.py + +> Edit text files from the command line using search-and-replace commands. + +- Run texteditor.py: + +`texteditor.py --help` diff --git a/data/generated/tldr/thefuzz.md b/data/generated/tldr/thefuzz.md new file mode 100644 index 0000000..40c3438 --- /dev/null +++ b/data/generated/tldr/thefuzz.md @@ -0,0 +1,7 @@ +# thefuzz + +> Fuzzy String Matching in Python. + +- Run thefuzz: + +`thefuzz --help` diff --git a/data/generated/tldr/thug.md b/data/generated/tldr/thug.md new file mode 100644 index 0000000..1295c54 --- /dev/null +++ b/data/generated/tldr/thug.md @@ -0,0 +1,7 @@ +# Thug + +> Low-interaction honeyclient for analyzing malicious websites and drive-by downloads + +- Run Thug: + +`thug -u win7chrome49 http://suspicious-site.com` diff --git a/data/generated/tldr/time-decode.md b/data/generated/tldr/time-decode.md new file mode 100644 index 0000000..73c14e7 --- /dev/null +++ b/data/generated/tldr/time-decode.md @@ -0,0 +1,7 @@ +# time-decode + +> Decode and encode date and timestamps. + +- Run time-decode: + +`time-decode --help` diff --git a/data/generated/tldr/tor.md b/data/generated/tldr/tor.md new file mode 100644 index 0000000..7e8e561 --- /dev/null +++ b/data/generated/tldr/tor.md @@ -0,0 +1,7 @@ +# tor + +> Obfuscate your origins by routing traffic through a network of anonymizing nodes. + +- Run tor: + +`tor --help` diff --git a/data/generated/tldr/torsocks.md b/data/generated/tldr/torsocks.md new file mode 100644 index 0000000..f2eae67 --- /dev/null +++ b/data/generated/tldr/torsocks.md @@ -0,0 +1,7 @@ +# torsocks + +> Route network traffic through the Tor anonymity network + +- Run torsocks: + +`torsocks curl http://example.onion` diff --git a/data/generated/tldr/translate.py.md b/data/generated/tldr/translate.py.md new file mode 100644 index 0000000..6dd0001 --- /dev/null +++ b/data/generated/tldr/translate.py.md @@ -0,0 +1,7 @@ +# translate.py + +> Transform data using Python expressions (XOR, ADD, etc.) + +- Run translate.py: + +`translate.py "byte ^ 35" < input.bin > output.bin` diff --git a/data/generated/tldr/trid.md b/data/generated/tldr/trid.md new file mode 100644 index 0000000..7925e0f --- /dev/null +++ b/data/generated/tldr/trid.md @@ -0,0 +1,7 @@ +# trid + +> Identify file type by scanning binary signatures database + +- Run trid: + +`trid document.doc` diff --git a/data/generated/tldr/tshark.md b/data/generated/tldr/tshark.md new file mode 100644 index 0000000..a6d73bb --- /dev/null +++ b/data/generated/tldr/tshark.md @@ -0,0 +1,11 @@ +# tshark + +> Command-line interface to Wireshark for packet capture and analysis + +- Run tshark: + +`tshark -r capture.pcap` + +- Run tshark: + +`tshark -i eth0 -w capture.pcap` diff --git a/data/generated/tldr/uncompyle6.md b/data/generated/tldr/uncompyle6.md new file mode 100644 index 0000000..94d8cf1 --- /dev/null +++ b/data/generated/tldr/uncompyle6.md @@ -0,0 +1,11 @@ +# uncompyle6 + +> Decompile Python bytecode (.pyc) back to source — supports Python 1.0 through 3.8 + +- Run uncompyle6: + +`uncompyle6 ` + +- Run uncompyle6: + +`uncompyle6 -o output/ ` diff --git a/data/generated/tldr/unfurl.md b/data/generated/tldr/unfurl.md new file mode 100644 index 0000000..3a57af8 --- /dev/null +++ b/data/generated/tldr/unfurl.md @@ -0,0 +1,7 @@ +# Unfurl + +> Deconstruct and decode URLs — reveal tracking parameters, encoded data, and redirect chains + +- Run Unfurl: + +`unfurl parse ` diff --git a/data/generated/tldr/unhide.md b/data/generated/tldr/unhide.md new file mode 100644 index 0000000..9d484d5 --- /dev/null +++ b/data/generated/tldr/unhide.md @@ -0,0 +1,7 @@ +# unhide + +> Find hidden processes or connections on the local Linux system. + +- Run unhide: + +`unhide --help` diff --git a/data/generated/tldr/unicode.md b/data/generated/tldr/unicode.md new file mode 100644 index 0000000..045034c --- /dev/null +++ b/data/generated/tldr/unicode.md @@ -0,0 +1,7 @@ +# unicode + +> Display Unicode character properties. + +- Run unicode: + +`unicode --help` diff --git a/data/generated/tldr/unxor.md b/data/generated/tldr/unxor.md new file mode 100644 index 0000000..f452acb --- /dev/null +++ b/data/generated/tldr/unxor.md @@ -0,0 +1,7 @@ +# unxor + +> Deobfuscate XOR'ed files. + +- Run unxor: + +`unxor --help` diff --git a/data/generated/tldr/unzip.md b/data/generated/tldr/unzip.md new file mode 100644 index 0000000..00f3b7f --- /dev/null +++ b/data/generated/tldr/unzip.md @@ -0,0 +1,7 @@ +# unzip + +> Extract ZIP archives containing malware samples + +- Run unzip: + +`unzip -P infected sample.zip` diff --git a/data/generated/tldr/upx.md b/data/generated/tldr/upx.md new file mode 100644 index 0000000..12935b3 --- /dev/null +++ b/data/generated/tldr/upx.md @@ -0,0 +1,11 @@ +# UPX + +> Universal Packer for eXecutables — compress and decompress PE files + +- Run UPX: + +`upx -d packed.exe` + +- Run UPX: + +`upx -d packed.exe -o unpacked.exe` diff --git a/data/generated/tldr/vbindiff.md b/data/generated/tldr/vbindiff.md new file mode 100644 index 0000000..82d9282 --- /dev/null +++ b/data/generated/tldr/vbindiff.md @@ -0,0 +1,7 @@ +# vbindiff + +> Compare binary files. + +- Run vbindiff: + +`vbindiff --help` diff --git a/data/generated/tldr/virustotal-search.md b/data/generated/tldr/virustotal-search.md new file mode 100644 index 0000000..9b5f4e4 --- /dev/null +++ b/data/generated/tldr/virustotal-search.md @@ -0,0 +1,7 @@ +# virustotal-search + +> Search VirusTotal for file hashes. + +- Run virustotal-search: + +`virustotal-search --help` diff --git a/data/generated/tldr/virustotal-submit.md b/data/generated/tldr/virustotal-submit.md new file mode 100644 index 0000000..b45ddf9 --- /dev/null +++ b/data/generated/tldr/virustotal-submit.md @@ -0,0 +1,7 @@ +# virustotal-submit + +> Submit files to VirusTotal. + +- Run virustotal-submit: + +`virustotal-submit --help` diff --git a/data/generated/tldr/visual-studio-code.md b/data/generated/tldr/visual-studio-code.md new file mode 100644 index 0000000..c1a11c1 --- /dev/null +++ b/data/generated/tldr/visual-studio-code.md @@ -0,0 +1,7 @@ +# Visual Studio Code + +> Code editor used for viewing decompiled output, scripts, and analysis results + +- Run Visual Studio Code: + +`code filename.js` diff --git a/data/generated/tldr/vivisect.md b/data/generated/tldr/vivisect.md new file mode 100644 index 0000000..7ebc2f5 --- /dev/null +++ b/data/generated/tldr/vivisect.md @@ -0,0 +1,11 @@ +# Vivisect + +> Binary analysis and emulation framework — static analysis with emulation capabilities + +- Run Vivisect: + +`vivbin ` + +- Run Vivisect: + +`python3 -c "import vivisect; vw = vivisect.VivWorkspace(); vw.loadFromFile('')"` diff --git a/data/generated/tldr/volatility3.md b/data/generated/tldr/volatility3.md new file mode 100644 index 0000000..1cd6ed8 --- /dev/null +++ b/data/generated/tldr/volatility3.md @@ -0,0 +1,19 @@ +# volatility3 + +> Memory forensics framework — analyze RAM dumps to find malware, hidden processes, network connections, and injected code + +- Run volatility3: + +`vol3 -f windows.info` + +- Run volatility3: + +`vol3 -f windows.pslist` + +- Run volatility3: + +`vol3 -f windows.pstree` + +- Run volatility3: + +`vol3 -f windows.netscan` diff --git a/data/generated/tldr/wget.md b/data/generated/tldr/wget.md new file mode 100644 index 0000000..5503537 --- /dev/null +++ b/data/generated/tldr/wget.md @@ -0,0 +1,7 @@ +# wget + +> Download files from HTTP/HTTPS/FTP servers + +- Run wget: + +`wget http://example.com/file.bin` diff --git a/data/generated/tldr/wine.md b/data/generated/tldr/wine.md new file mode 100644 index 0000000..5cc9180 --- /dev/null +++ b/data/generated/tldr/wine.md @@ -0,0 +1,7 @@ +# Wine + +> Windows compatibility layer — run Windows executables on Linux + +- Run Wine: + +`wine program.exe` diff --git a/data/generated/tldr/wireshark.md b/data/generated/tldr/wireshark.md new file mode 100644 index 0000000..ea24567 --- /dev/null +++ b/data/generated/tldr/wireshark.md @@ -0,0 +1,11 @@ +# Wireshark + +> GUI network protocol analyzer for capturing and inspecting packet-level traffic + +- Run Wireshark: + +`wireshark` + +- Run Wireshark: + +`wireshark -r capture.pcap` diff --git a/data/generated/tldr/wxhexeditor.md b/data/generated/tldr/wxhexeditor.md new file mode 100644 index 0000000..788b031 --- /dev/null +++ b/data/generated/tldr/wxhexeditor.md @@ -0,0 +1,7 @@ +# wxhexeditor + +> Hex editor. + +- Run wxhexeditor: + +`wxhexeditor --help` diff --git a/data/generated/tldr/xlmmacrodeobfuscator.md b/data/generated/tldr/xlmmacrodeobfuscator.md new file mode 100644 index 0000000..dd8b5f0 --- /dev/null +++ b/data/generated/tldr/xlmmacrodeobfuscator.md @@ -0,0 +1,11 @@ +# XLMMacroDeobfuscator + +> Deobfuscate Excel 4.0 (XLM) macros — these hide in hidden sheets and are hard to detect + +- Run XLMMacroDeobfuscator: + +`xlmdeobfuscator --file ` + +- Run XLMMacroDeobfuscator: + +`xlmdeobfuscator --file --no-indent` diff --git a/data/generated/tldr/xmldump.py.md b/data/generated/tldr/xmldump.py.md new file mode 100644 index 0000000..6fdacb6 --- /dev/null +++ b/data/generated/tldr/xmldump.py.md @@ -0,0 +1,7 @@ +# xmldump.py + +> Extract contents of XML files, in particular OOXML-formatted Microsoft Office documents. + +- Run xmldump.py: + +`xmldump.py --help` diff --git a/data/generated/tldr/xor-kpa.py.md b/data/generated/tldr/xor-kpa.py.md new file mode 100644 index 0000000..2349ab3 --- /dev/null +++ b/data/generated/tldr/xor-kpa.py.md @@ -0,0 +1,7 @@ +# xor-kpa.py + +> Implement a XOR known plaintext attack. + +- Run xor-kpa.py: + +`xor-kpa.py --help` diff --git a/data/generated/tldr/xorbruteforcer.md b/data/generated/tldr/xorbruteforcer.md new file mode 100644 index 0000000..20d8c54 --- /dev/null +++ b/data/generated/tldr/xorbruteforcer.md @@ -0,0 +1,7 @@ +# xorbruteforcer + +> Bruteforce an XOR-encoded file. + +- Run xorbruteforcer: + +`xorbruteforcer --help` diff --git a/data/generated/tldr/xorsearch.md b/data/generated/tldr/xorsearch.md new file mode 100644 index 0000000..c8d7c03 --- /dev/null +++ b/data/generated/tldr/xorsearch.md @@ -0,0 +1,11 @@ +# XORSearch + +> Search for XOR/ROL/ROT/SHIFT-encoded patterns including shellcode signatures + +- Run XORSearch: + +`XORSearch -W -d 3 file.bin` + +- Run XORSearch: + +`XORSearch -i -s specimen.exe http:` diff --git a/data/generated/tldr/xorstrings.md b/data/generated/tldr/xorstrings.md new file mode 100644 index 0000000..2c7d086 --- /dev/null +++ b/data/generated/tldr/xorstrings.md @@ -0,0 +1,7 @@ +# xorstrings + +> Search for XOR encoded strings in a file. + +- Run xorstrings: + +`xorstrings --help` diff --git a/data/generated/tldr/xortool.md b/data/generated/tldr/xortool.md new file mode 100644 index 0000000..3544998 --- /dev/null +++ b/data/generated/tldr/xortool.md @@ -0,0 +1,11 @@ +# xortool + +> Analyze XOR-encoded data — guess key length and probable key bytes + +- Run xortool: + +`xortool ` + +- Run xortool: + +`xortool-xor -s 'key' -i -o ` diff --git a/data/generated/tldr/xxd.md b/data/generated/tldr/xxd.md new file mode 100644 index 0000000..578bde2 --- /dev/null +++ b/data/generated/tldr/xxd.md @@ -0,0 +1,11 @@ +# xxd + +> Create hex dump of a file or reverse a hex dump back to binary + +- Run xxd: + +`xxd binary.exe` + +- Run xxd: + +`xxd -r hexdump.txt > binary.exe` diff --git a/data/generated/tldr/yara-forge-rules.md b/data/generated/tldr/yara-forge-rules.md new file mode 100644 index 0000000..a128b77 --- /dev/null +++ b/data/generated/tldr/yara-forge-rules.md @@ -0,0 +1,7 @@ +# YARA-Forge Rules + +> Scan files with curated YARA rules from 45+ sources for malware family identification. + +- Run YARA-Forge Rules: + +`YARA-Forge Rules --help` diff --git a/data/generated/tldr/yara-x.md b/data/generated/tldr/yara-x.md new file mode 100644 index 0000000..9d7b510 --- /dev/null +++ b/data/generated/tldr/yara-x.md @@ -0,0 +1,7 @@ +# yara-x + +> Scan files using YARA rules, the next generation of YARA written in Rust. + +- Run yara-x: + +`yara-x --help` diff --git a/data/generated/tldr/yara.md b/data/generated/tldr/yara.md new file mode 100644 index 0000000..969654a --- /dev/null +++ b/data/generated/tldr/yara.md @@ -0,0 +1,11 @@ +# yara + +> Pattern matching tool for identifying and classifying malware using custom rules + +- Run yara: + +`yara-rules specimen.bin` + +- Run yara: + +`yara rule.yar specimen.exe` diff --git a/data/generated/tldr/zbarimg.md b/data/generated/tldr/zbarimg.md new file mode 100644 index 0000000..d31f3f0 --- /dev/null +++ b/data/generated/tldr/zbarimg.md @@ -0,0 +1,7 @@ +# zbarimg + +> Decode QR codes and barcodes from image files. + +- Run zbarimg: + +`zbarimg --help` diff --git a/data/generated/tldr/zipdump.py.md b/data/generated/tldr/zipdump.py.md new file mode 100644 index 0000000..db91514 --- /dev/null +++ b/data/generated/tldr/zipdump.py.md @@ -0,0 +1,7 @@ +# zipdump.py + +> Parse and analyze ZIP archive structure + +- Run zipdump.py: + +`zipdump.py archive.zip` diff --git a/data/generated/tools.db b/data/generated/tools.db new file mode 100644 index 0000000..fad19e2 --- /dev/null +++ b/data/generated/tools.db @@ -0,0 +1,397 @@ +1768.py|Parse Cobalt Strike beacon configuration from shellcode or memory dumps|Examine Static Properties > Deobfuscation|1768.py shellcode.bin|rich +7-Zip|Compress and decompress files using a variety of algorithms.|Examine Static Properties > General|7-Zip --help|standard +7zip|(no description available)||7zip --help|basic +AESKeyFinder|Find 128-bit and 256-bit AES keys in a memory image.|Perform Memory Forensics|AESKeyFinder --help|standard +AndroidProjectCreator|Convert an Android APK application file into an Android Studio project for easier analysis.|Statically Analyze Code > Android|AndroidProjectCreator --help|standard +Burp Suite Community Edition|Investigate website interactions using this web proxy.|Explore Network Interactions > Monitoring|Burp Suite Community Edition --help|standard +Bytehist|Generate byte-usage histograms to visually identify packed or encrypted sections in binaries|Statically Analyze Code > Unpacking|bytehist specimen.exe|rich +ClamAV|Open-source antivirus — scan files for known malware signatures|Examine Static Properties > General|clamscan |rich +Cobalt Strike Configuration Extractor (CSCE) and Parser|Analyze Cobalt Strike beacons.|Examine Static Properties > Deobfuscation|Cobalt Strike Configuration Extractor (CSCE) and Parser --help|standard +Cutter|Open-source reverse engineering platform — Qt-based GUI for radare2|Statically Analyze Code > General|cutter specimen.exe|rich +CyberChef|Web-based data transformation tool — decode Base64, XOR, hex, decompress, and chain operations|Examine Static Properties > Deobfuscation|cyberchef|rich +Decompyle++|Python bytecode disassembler and decompiler.|Statically Analyze Code > Python|Decompyle++ --help|standard +EPIC IRC Client|Examine IRC activities with this IRC client.|Explore Network Interactions > Connecting|EPIC IRC Client --help|standard +FLOSS|Automatically extract obfuscated strings from malware using static analysis, stack strings, and emulation|Examine Static Properties > Deobfuscation|floss specimen.exe|rich +Frida|Dynamic instrumentation toolkit — hook and trace running processes, intercept function calls in real time|Dynamically Reverse-Engineer Code > General|frida -l hook.js |rich +GNOME Calculator|Calculator.|General Utilities|GNOME Calculator --help|standard +GNU Wget|Interact with servers via HTTP, HTTPS, FTP, and FTPS using this command-line tool.|Explore Network Interactions > Connecting|GNU Wget --help|standard +GhidrAssistMCP|MCP server for AI-assisted reverse engineering in Ghidra.|Use Artificial Intelligence|GhidrAssistMCP --help|standard +Ghidra|Open-source disassembler and decompiler from NSA with scripting, function graphs, and data type management|Statically Analyze Code > General|ghidra|rich +Hachoir|View, edit, and carve contents of various binary file types.|Examine Static Properties > General|Hachoir --help|standard +Hash ID|Identify different types of hashes.|Examine Static Properties > General|Hash ID --help|standard +ILSpy|.NET assembly decompiler — view C#/VB.NET source from compiled .NET binaries|Statically Analyze Code > .NET|ILSpy.exe assembly.exe|rich +INetSim|Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for malware analysis in isolated labs|Explore Network Interactions > Services|inetsim|rich +JD-GUI Java Decompiler|Java decompiler with GUI.|Statically Analyze Code > Java|JD-GUI Java Decompiler --help|standard +Javassist|Java bytecode engineering toolkit/library.|Statically Analyze Code > Java|Javassist --help|standard +Malcat Lite|Analyze binary files using a hex editor, disassembler, and file dissector.|Examine Static Properties > General|Malcat Lite --help|standard +Malchive|Multi-purpose malware analysis library — config extraction, deobfuscation, and static analysis|Examine Static Properties > Deobfuscation|malchive |rich +Network Miner Free Edition|Examine network traffic and carve PCAP capture files.|Explore Network Interactions > Monitoring|Network Miner Free Edition --help|standard +ProcDOT|Visualize Process Monitor logs as interactive graphs for behavioral analysis|Investigate System Interactions|procdot|rich +Procyon|Java decompiler.|Statically Analyze Code > Java|Procyon --help|standard +REMnux Installer|Install and update the REMnux distro.|General Utilities|REMnux Installer --help|standard +RSAKeyFinder|Find BER-encoded RSA private keys in a memory image.|Perform Memory Forensics|RSAKeyFinder --help|standard +SQLite|Manage and interact with SQL database files.|General Utilities|SQLite --help|standard +Sleuth Kit|Analyze disk images and recover files from them.|Examine Static Properties > General|Sleuth Kit --help|standard +SpiderMonkey|Mozilla JavaScript engine — execute and deobfuscate malicious JavaScript outside a browser|Dynamically Reverse-Engineer Code > Scripts|js -f malicious.js|rich +Thug|Low-interaction honeyclient for analyzing malicious websites and drive-by downloads|Explore Network Interactions > Connecting|thug -u win7chrome49 http://suspicious-site.com|rich +UPX|Universal Packer for eXecutables — compress and decompress PE files|Statically Analyze Code > Unpacking|upx -d packed.exe|rich +Unfurl|Deconstruct and decode URLs — reveal tracking parameters, encoded data, and redirect chains|Explore Network Interactions > Connecting|unfurl parse |rich +Visual Studio Code|Code editor used for viewing decompiled output, scripts, and analysis results|View or Edit Files|code filename.js|rich +Vivisect|Binary analysis and emulation framework — static analysis with emulation capabilities|Statically Analyze Code > General|vivbin |rich +Wine|Windows compatibility layer — run Windows executables on Linux|Dynamically Reverse-Engineer Code > General|wine program.exe|rich +Wireshark|GUI network protocol analyzer for capturing and inspecting packet-level traffic|Explore Network Interactions > Monitoring|wireshark|rich +XLMMacroDeobfuscator|Deobfuscate Excel 4.0 (XLM) macros — these hide in hidden sheets and are hard to detect|Analyze Documents > Microsoft Office|xlmdeobfuscator --file |rich +XORSearch|Search for XOR/ROL/ROT/SHIFT-encoded patterns including shellcode signatures|Examine Static Properties > Deobfuscation|XORSearch -W -d 3 file.bin|rich +YARA-Forge Rules|Scan files with curated YARA rules from 45+ sources for malware family identification.|Examine Static Properties > General|YARA-Forge Rules --help|standard +aeskeyfind|(no description available)||aeskeyfind --help|basic +androguard|Analyze Android APK files — extract permissions, activities, intents, and decompile DEX code|Statically Analyze Code > Android|androguard analyze |rich +android-project-creator|(no description available)||android-project-creator --help|basic +anomy|A wrapper around wget, ssh, sftp, ftp, and telnet to route these connections through Tor to anonymize your traffic.|Explore Network Interactions > Connecting|anomy --help|standard +apkid|Identify compilers, packers, and obfuscators used to protect Android APK and DEX files.|Statically Analyze Code > Android|apkid --help|standard +apktool|Decompile and recompile Android APK files — extract resources, smali code, and manifest|Statically Analyze Code > Android|apktool d -o output/|rich +apt-utils|(no description available)||apt-utils --help|basic +archive-zip|(no description available)||archive-zip --help|basic +autoconf|(no description available)||autoconf --help|basic +autoit-ripper|Extract AutoIt scripts embedded in PE binaries.|Statically Analyze Code > Scripts|autoit-ripper --help|standard +autologin|(no description available)||autologin --help|basic +automake|(no description available)||automake --help|basic +baksmali|Disassembler for the dex format used by Dalvik, Android's Java VM implementation.|Statically Analyze Code > Android|baksmali --help|standard +balbuzard|Extract and deobfuscate patterns from suspicious files.|Examine Static Properties > Deobfuscation|balbuzard --help|standard +base64dump.py|Extract and decode Base64-encoded strings from files|Examine Static Properties > Deobfuscation|base64dump.py file.txt|rich +bash-history|(no description available)||bash-history --help|basic +bash-rc|(no description available)||bash-rc --help|basic +bbcrack|Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms|string-deobfuscation|bbcrack -l 1 specimen.dll|rich +bearparser|(no description available)||bearparser --help|basic +binee (Binary Emulation Environment)|Analyze I/O operations of a suspicious PE file by emulating its execution.|Statically Analyze Code > PE Files|binee (Binary Emulation Environment) --help|standard +binee|(no description available)||binee --help|basic +binutils|(no description available)||binutils --help|basic +binwalk|Analyze and extract embedded files and firmware images|Examine Static Properties > General|binwalk firmware.bin|rich +box-js|JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript APIs|Dynamically Reverse-Engineer Code > Scripts|box-js --output-dir=/tmp suspicious.js|rich +brxor.py|Brute-force XOR key detection for single-byte XOR-encoded strings|Examine Static Properties > Deobfuscation|brxor.py specimen.dll|rich +build-essential|(no description available)||build-essential --help|basic +bulk-extractor|Extract interesting strings from binary files.|Examine Static Properties > General|bulk-extractor --help|standard +bundler|(no description available)||bundler --help|basic +burpsuite-community|(no description available)||burpsuite-community --help|basic +cabextract|Extract Microsoft cabinet (cab) files.|General Utilities|cabextract --help|standard +capa|Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog|Statically Analyze Code > PE Files|capa specimen.exe|rich +cast|Install and manage SaltStack-based Linux distributions.|General Utilities|cast --help|standard +cffi|(no description available)||cffi --help|basic +cfr|Modern Java decompiler — handles Java 8+ features including lambdas and try-with-resources|Statically Analyze Code > Java|cfr --outputdir output/|rich +chepy|Decode and otherwise analyze data using this command-line tool and Python library.|Examine Static Properties > Deobfuscation|chepy --help|standard +clamav-daemon|(no description available)||clamav-daemon --help|basic +compatibility|(no description available)||compatibility --help|basic +cs-analyze-processdump.py|Analyze Cobalt Strike beacon process dumps for sleep mask encoding|Examine Static Properties > Deobfuscation|cs-analyze-processdump.py |rich +cs-decrypt-metadata.py|Decrypt Cobalt Strike beacon metadata from network captures|Examine Static Properties > Deobfuscation|cs-decrypt-metadata.py |rich +cs-extract-key.py|Extract AES and HMAC encryption keys from Cobalt Strike beacon process memory dumps|Examine Static Properties > Deobfuscation|cs-extract-key.py -f |rich +cs-parse-traffic.py|Decrypt and parse Cobalt Strike beacon network traffic using extracted keys|Explore Network Interactions > Monitoring|cs-parse-traffic.py -f -k |rich +curl|Transfer data to/from servers using various protocols|Explore Network Interactions > Connecting|curl -L http://example.com|rich +cut-bytes.py|Cut out a part of a data stream.|Examine Static Properties > Deobfuscation|cut-bytes.py --help|standard +dc3-mwcp|DC3 Malware Configuration Parser — extract C2 configs from known malware families|Examine Static Properties > Deobfuscation|mwcp parse |rich +de4dot|.NET deobfuscator — remove obfuscation from .NET assemblies|Statically Analyze Code > .NET|de4dot obfuscated.exe|rich +decode-vbe.py|Decode encoded VBS scripts (VBE).|Statically Analyze Code > Scripts|decode-vbe.py --help|standard +default-jdk|(no description available)||default-jdk --help|basic +default-jre|(no description available)||default-jre --help|basic +dex2jar|Examine Dalvik Executable (dex) files.|Statically Analyze Code > Android|dex2jar --help|standard +dexray|Extract and decode data from antivirus quarantine files.|Gather and Analyze Data|dexray --help|standard +dialog|(no description available)||dialog --help|basic +didier-stevens-scripts|(no description available)||didier-stevens-scripts --help|basic +diec|Detect packers, compilers, and tools used to create executables|Examine Static Properties > General|diec specimen.exe|rich +disitool|Manipulate embedded digital signatures.|Examine Static Properties > General|disitool --help|standard +display|(no description available)||display --help|basic +dissect|Perform a variety of forensics and incident response tasks using this DFIR framework and toolset.|Gather and Analyze Data|dissect --help|standard +distro-info|(no description available)||distro-info --help|basic +dllcharacteristics|(no description available)||dllcharacteristics --help|basic +dnfile|Analyze static properties of.|Examine Static Properties > .NET|dnfile --help|standard +dnslib|Python library to encode/decode DNS wire-format packets.|Gather and Analyze Data|dnslib --help|standard +dnsresolver.py|DNS resolver tool for dynamic analysis with wildcard and tracking support.|Explore Network Interactions > Services|dnsresolver.py --help|standard +docker|Run and manage containers.|General Utilities|docker --help|standard +dog|(no description available)||dog --help|basic +dos2unix|Convert text files with Windows or macOS line breaks to Unix line breaks and vice versa.|View or Edit Files|dos2unix --help|standard +dot-cache|(no description available)||dot-cache --help|basic +dot-config|(no description available)||dot-config --help|basic +dot-cpan|(no description available)||dot-cpan --help|basic +dot-dbus|(no description available)||dot-dbus --help|basic +dot-local|(no description available)||dot-local --help|basic +dotnet-runtime-3-1|(no description available)||dotnet-runtime-3-1 --help|basic +dotnetfile|Analyze static properties of.|Examine Static Properties > .NET|dotnetfile --help|standard +droidlysis|Perform static analysis of Android applications.|Examine Static Properties > General|droidlysis --help|standard +edb-debugger|(no description available)||edb-debugger --help|basic +emldump.py|Parse and analyze EML email message files|Analyze Documents > Email Messages|emldump.py message.eml|rich +enchant|(no description available)||enchant --help|basic +epic5|(no description available)||epic5 --help|basic +evilclippy|Remove VBA project password protection and manipulate Office macro settings|Analyze Documents > Microsoft Office|evilclippy -uu document.docm|rich +evince|View documents in a variety of formats, including PDF.|View or Edit Files|evince --help|standard +ex-pe-xor|Search an XOR'ed file for indications of executable binaries.|Examine Static Properties > Deobfuscation|ex-pe-xor --help|standard +exfat-utils|(no description available)||exfat-utils --help|basic +exiftool|Extract metadata from files (PDF, images, documents, executables)|Examine Static Properties > General|exiftool document.pdf|rich +fakedns|Fake DNS server that resolves all queries to a specified IP for traffic interception|Explore Network Interactions > Services|fakedns|rich +fakemail|Intercept and examine SMTP email activity with this fake SMTP server.|Explore Network Interactions > Services|fakemail --help|standard +fakenet-ng|Emulate network services (HTTP, DNS, SMTP, FTP) to intercept and analyze malware traffic dynamically|Explore Network Interactions > Services|fakenet|rich +feh|Lightweight image viewer for viewing extracted images from documents|View or Edit Files|feh extracted_image.jpg|rich +file-magic.py|Identify file types using the Python magic module.|Examine Static Properties > General|file-magic.py --help|standard +file|Determine file type and MIME type using magic bytes|Examine Static Properties > General|file specimen.exe|rich +firefox|Web browser.|General Utilities|firefox --help|standard +flare-floss|(no description available)||flare-floss --help|basic +flex|(no description available)||flex --help|basic +format-bytes.py|Decompose structured binary data with format strings.|Examine Static Properties > Deobfuscation|format-bytes.py --help|standard +galculator|(no description available)||galculator --help|basic +gdb|(no description available)||gdb --help|basic +gdm3|(no description available)||gdm3 --help|basic +gift|(no description available)||gift --help|basic +git|(no description available)||git --help|basic +gnome-session|(no description available)||gnome-session --help|basic +gnome-shell-extensions|(no description available)||gnome-shell-extensions --help|basic +gnome-terminal|(no description available)||gnome-terminal --help|basic +gnome-tweaks|(no description available)||gnome-tweaks --help|basic +gnutls-bin|(no description available)||gnutls-bin --help|basic +goresym|Extract metadata and symbols from Go binaries, including stripped ones.|Examine Static Properties > Go|goresym --help|standard +graphviz|(no description available)||graphviz --help|basic +grub-kvm|(no description available)||grub-kvm --help|basic +guest-tools|(no description available)||guest-tools --help|basic +gunzip|Decompress gzip-compressed data (often used in multi-stage payload extraction)|utilities|gunzip -c compressed.gz > output.bin|rich +hex-to-bin.py|Convert hexadecimal text dumps to binary data.|Examine Static Properties > Deobfuscation|hex-to-bin.py --help|standard +hexdump|Display file content in hexadecimal format|utilities|hexdump -C binary.dat|rich +httpd|Simple HTTP server on REMnux for simulating C2 web servers|Explore Network Interactions > Services|httpd|rich +i386-architecture|(no description available)||i386-architecture --help|basic +ibus|Adjust input methods for the GUI.|General Utilities|ibus --help|standard +ilspycmd|Command-line .NET decompiler (CLI version of ILSpy)|dotnet-analysis|ilspycmd assembly.exe > decompiled.cs|rich +imagemagick|View and manipulate image and related files.|View or Edit Files|imagemagick --help|standard +inspircd|Examine IRC activity with this IRC server.|Explore Network Interactions > Services|inspircd --help|standard +ioc-parser|Extract indicators of compromise (IOCs) from PDF reports and text files|Gather and Analyze Data|ioc_parser |rich +iproute2|(no description available)||iproute2 --help|basic +iptables|Linux firewall and NAT tool for redirecting IP-based malware traffic|network-analysis|iptables -t nat -A PREROUTING -i ens32 -j REDIRECT|rich +iputils-ping|(no description available)||iputils-ping --help|basic +ipwhois|Retrieve and parse whois data for IP addresses.|Gather and Analyze Data|ipwhois --help|standard +ipython3|(no description available)||ipython3 --help|basic +jadx|Decompile Android DEX/APK to Java source code with a GUI or command line|Statically Analyze Code > Android|jadx -d output/|rich +java-idx-parser|Analyze Java IDX files.|Statically Analyze Code > Java|java-idx-parser --help|standard +jd-gui|Visual Java decompiler with GUI — browse and search decompiled JAR/class files||jd-gui |rich +jq|Command-line JSON processor for extracting and transforming structured data|utilities|cat report.json jq '.apis'|rich +js-beautify|Format and beautify obfuscated JavaScript code for readability|Statically Analyze Code > Scripts|js-beautify malicious.js > beautified.js|rich +jstillery|Deobfuscate JavaScript scripts using AST and Partial Evaluation techniques.|Dynamically Reverse-Engineer Code > Scripts|jstillery --help|standard +lame|(no description available)||lame --help|basic +libboost-dev|(no description available)||libboost-dev --help|basic +libboost-python-dev|(no description available)||libboost-python-dev --help|basic +libboost-system-dev|(no description available)||libboost-system-dev --help|basic +libdpkg-perl|(no description available)||libdpkg-perl --help|basic +libemail-outlook-message-perl|(no description available)||libemail-outlook-message-perl --help|basic +libemu|A library for x86 code emulation and shellcode detection.|Dynamically Reverse-Engineer Code > Shellcode|libemu --help|standard +libffi-dev|(no description available)||libffi-dev --help|basic +libfuse2|(no description available)||libfuse2 --help|basic +libfuzzy-dev|(no description available)||libfuzzy-dev --help|basic +libfuzzy2|(no description available)||libfuzzy2 --help|basic +libglib2|(no description available)||libglib2 --help|basic +libglu1-mesa-dev|(no description available)||libglu1-mesa-dev --help|basic +libgraphviz-dev|(no description available)||libgraphviz-dev --help|basic +libgtk-3-0|(no description available)||libgtk-3-0 --help|basic +libjavassist-java|(no description available)||libjavassist-java --help|basic +libjpeg-dev|(no description available)||libjpeg-dev --help|basic +libjpeg8-dev|(no description available)||libjpeg8-dev --help|basic +liblzma-dev|(no description available)||liblzma-dev --help|basic +liblzo2-dev|(no description available)||liblzo2-dev --help|basic +libmagic-dev|(no description available)||libmagic-dev --help|basic +libmysqlclient21|(no description available)||libmysqlclient21 --help|basic +libncurses|(no description available)||libncurses --help|basic +libnetfilter-queue-dev|(no description available)||libnetfilter-queue-dev --help|basic +libnfnetlink-dev|(no description available)||libnfnetlink-dev --help|basic +libolecf|Microsoft Office OLE2 compound documents.|Analyze Documents > Microsoft Office|libolecf --help|standard +libpq5|(no description available)||libpq5 --help|basic +libqt5scripttools5|(no description available)||libqt5scripttools5 --help|basic +libre2|(no description available)||libre2 --help|basic +libsm6|(no description available)||libsm6 --help|basic +libsqlite3-dev|(no description available)||libsqlite3-dev --help|basic +libssl-dev|(no description available)||libssl-dev --help|basic +libtool|(no description available)||libtool --help|basic +libtre5|(no description available)||libtre5 --help|basic +libusb-1|(no description available)||libusb-1 --help|basic +libxml2-dev|(no description available)||libxml2-dev --help|basic +libxslt1-dev|(no description available)||libxslt1-dev --help|basic +lief|Parse and analyze PE, ELF, MachO, DEX, OAT, VDEX, ART, and DWARF executable formats.|Examine Static Properties > General|lief --help|standard +linux-headers|(no description available)||linux-headers --help|basic +ltrace|(no description available)||ltrace --help|basic +magika|Identify file type using signatures.|Examine Static Properties > General|magika --help|standard +mail-parser|Parse raw SMTP email messages and extract headers, body, and attachments|Analyze Documents > Email Messages|python3 -c "import mailparser; mail = mailparser.parse_from_file(''); print(mail.subject)"|rich +malcat|(no description available)||malcat --help|basic +malwoverview|Query VirusTotal, Hybrid Analysis, and MalwareBazaar for malware intelligence|Gather and Analyze Data|malwoverview -v |rich +manalyze|(no description available)||manalyze --help|basic +mbcscan|Scan a PE file to list the associated Malware Behavior Catalog (MBC) details.|Statically Analyze Code > PE Files|mbcscan --help|standard +mercurial|(no description available)||mercurial --help|basic +microsoft-vscode|(no description available)||microsoft-vscode --help|basic +microsoft|(no description available)||microsoft --help|basic +mitmproxy|Interactive HTTPS proxy for intercepting, inspecting, and modifying encrypted web traffic|Explore Network Interactions > Monitoring|mitmproxy|rich +mono-devel|(no description available)||mono-devel --help|basic +mono-utils|(no description available)||mono-utils --help|basic +monodis|Disassemble and extract resources from.|Examine Static Properties > .NET|monodis --help|standard +mono|(no description available)||mono --help|basic +msg-extractor|Extract emails and attachments from Microsoft Outlook MSG files|Analyze Documents > Email Messages|extract_msg |rich +msgconvert|Convert MSG files to MBOX files.|Analyze Documents > Email Messages|msgconvert --help|standard +msitools|Create, inspect and extract Windows Installer (.|Examine Static Properties > General|msitools --help|standard +msoffcrypto-crack.py|Recover the password of an encrypted Microsoft Office document.|Analyze Documents > Microsoft Office|msoffcrypto-crack.py --help|standard +msoffcrypto-tool|Decrypt password-protected Microsoft Office documents (OLE and OOXML)|Analyze Documents > Microsoft Office|msoffcrypto-tool -p infected |rich +msoffice-crypt|Encrypt and decrypt OOXML Microsoft Office documents.|Analyze Documents > Microsoft Office|msoffice-crypt --help|standard +myip|Determine the IP address of the default network interface.|General Utilities|myip --help|standard +myjson-filter.py|Filter data formatted using the JSON format used by Didier Stevens' tools.|General Utilities|myjson-filter.py --help|standard +mynic|(no description available)||mynic --help|basic +name-that-hash|Identify dfferent types of hashes.|Examine Static Properties > General|name-that-hash --help|standard +nano|(no description available)||nano --help|basic +nasm|An x86-64 assembler.|General Utilities|nasm --help|standard +nautilus|Graphical file manager.|General Utilities|nautilus --help|standard +nc|Network utility for reading/writing data across TCP/UDP connections|Explore Network Interactions > Connecting|nc -l -p 3127|rich +ndg-httpsclient|(no description available)||ndg-httpsclient --help|basic +net-tools|(no description available)||net-tools --help|basic +networkminer|Passive network traffic analyzer — extracts files, images, credentials from PCAP captures||NetworkMiner --pcap |rich +nginx|Web server.|Explore Network Interactions > Services|nginx --help|standard +ngrep|Search network traffic for patterns — like grep for packets|Explore Network Interactions > Monitoring|ngrep -I 'password'|rich +nodejs|(no description available)||nodejs --help|basic +nomorexor|Help guess a file's 256-byte XOR by using frequency analysis.|Examine Static Properties > Deobfuscation|nomorexor --help|standard +nslookup|DNS query tool for testing name resolution|network-analysis|nslookup domain.com|rich +nsrllookup|Look up MD5 file hashes in the NIST National Software Reference Library (NSRL).|Gather and Analyze Data|nsrllookup --help|standard +numbers-to-string.py|Convert sequences of decimal numbers to readable characters|Examine Static Properties > General|oledump.py doc.docm -s A3 -v numbers-to-string.py -j|rich +objdump|Disassemble binary files.|Statically Analyze Code > General|objdump --help|standard +objects.js|Emulate common browser and PDF viewer objects, methods, and properties when deobfuscating JavaScript.|Dynamically Reverse-Engineer Code > Scripts|objects.js --help|standard +oledump.py|Analyze OLE2 files (Office documents), extract streams and VBA macros|Analyze Documents > Microsoft Office|oledump.py document.docm|rich +olefile|Python package to parse, read and write MS OLE2 files.|Analyze Documents > Microsoft Office|olefile --help|standard +olevba|Extract and analyze VBA macros from Office documents with deobfuscation|Analyze Documents > Microsoft Office|olevba document.docm|rich +onedump.py|Extract and analyze embedded files from OneNote documents.|Analyze Documents > Microsoft Office|onedump.py --help|standard +opencode|Open-source AI coding agent for the terminal.|Use Artificial Intelligence|opencode --help|standard +openjdk|(no description available)||openjdk --help|basic +openssh|Initiate and receive SSH and SFTP connections.|General Utilities|openssh --help|standard +openssl|(no description available)||openssl --help|basic +origamindee|Parse, modify, generate PDF files.|Analyze Documents > PDF|origamindee --help|standard +osarch|(no description available)||osarch --help|basic +pcode2code|Decompile VBA p-code from Office documents — works even when VBA source is removed|Analyze Documents > Microsoft Office|pcode2code |rich +pcodedmp|Disassemble VBA p-code.|Analyze Documents > Microsoft Office|pcodedmp --help|standard +pdf-parser.py|Parse PDF structure, locate objects, extract content, and search for strings|Analyze Documents > PDF|pdf-parser.py document.pdf -a|rich +pdfid.py|Scan PDF files for suspicious keywords like /JavaScript, /OpenAction, /Launch without parsing|Analyze Documents > PDF|pdfid.py document.pdf|rich +pdfresurrect|Extract and analyze previous versions from PDF files|Analyze Documents > PDF|pdfresurrect document.pdf|rich +pdftk|Manipulate PDF files — merge, split, flatten, encrypt, and extract embedded content|Analyze Documents > PDF|pdftk input.pdf cat output output.pdf flatten|rich +pdftool.py|Analyze PDF incremental updates|Analyze Documents > PDF|pdftool.py document.pdf|rich +pdnstool|Query passive DNS databases for DNS data.|Gather and Analyze Data|pdnstool --help|standard +pe-tree|(no description available)||pe-tree --help|basic +pedump|(no description available)||pedump --help|basic +peepdf|Interactive PDF analysis framework with JavaScript detection and exploitation capabilities|Analyze Documents > PDF|peepdf -i malicious.pdf|rich +peframe|Static analysis of PE files — extract properties, detect anomalies, identify packers|static-analysis-pe|peframe specimen.exe|rich +perl|(no description available)||perl --help|basic +pestr|Extract ASCII and Unicode strings from PE files|static-analysis-pe|pestr specimen.exe|rich +pev|(no description available)||pev --help|basic +pgadmin|(no description available)||pgadmin --help|basic +pip|(no description available)||pip --help|basic +pkg-config|(no description available)||pkg-config --help|basic +polarproxy|Transparent TLS proxy that decrypts traffic and saves it as PCAP for analysis in Wireshark|Explore Network Interactions > Monitoring|PolarProxy -p 443,80 -w captured.pcap|rich +portex|(no description available)||portex --help|basic +powershell|Run PowerShell scripts and commands.|Dynamically Reverse-Engineer Code > Scripts|powershell --help|standard +prefer-ipv4|(no description available)||prefer-ipv4 --help|basic +procyon-decompiler|(no description available)||procyon-decompiler --help|basic +protobuf|(no description available)||protobuf --help|basic +pycdc|(no description available)||pycdc --help|basic +pyelftools|(no description available)||pyelftools --help|basic +pyinstaller-extractor|Extract contents of a PyInstaller-generated PE files.|Statically Analyze Code > Python|pyinstaller-extractor --help|standard +pyinstxtractor-ng|Extract contents of PyInstaller-generated executables without needing matching Python version|Statically Analyze Code > Python|pyinstxtractor-ng |rich +python-debian|(no description available)||python-debian --help|basic +python3-cryptography|(no description available)||python3-cryptography --help|basic +python3-dev|(no description available)||python3-dev --help|basic +python3-dnspython|(no description available)||python3-dnspython --help|basic +python3-magic|(no description available)||python3-magic --help|basic +python3-netifaces|(no description available)||python3-netifaces --help|basic +python3-numpy|(no description available)||python3-numpy --help|basic +python3-pil|(no description available)||python3-pil --help|basic +python3-pip|(no description available)||python3-pip --help|basic +python3-pyasn1|(no description available)||python3-pyasn1 --help|basic +python3-pyqt5|(no description available)||python3-pyqt5 --help|basic +python3-requests|(no description available)||python3-requests --help|basic +python3-setuptools|(no description available)||python3-setuptools --help|basic +python3-ssdeep|(no description available)||python3-ssdeep --help|basic +python3-tk|(no description available)||python3-tk --help|basic +python3-venv|(no description available)||python3-venv --help|basic +python3-virtualenv|(no description available)||python3-virtualenv --help|basic +python3-wheel|(no description available)||python3-wheel --help|basic +python3|(no description available)||python3 --help|basic +qiling|Multi-platform binary emulation framework — emulate PE, ELF, shellcode across OS/arch combinations|Statically Analyze Code > General|python3 -c "from qiling import Qiling; ql = Qiling([''], '/path/to/rootfs')"|rich +qpdf|Decrypt, linearize, and transform PDF files — useful for removing password protection|Analyze Documents > PDF|qpdf --decrypt encrypted.pdf output.pdf|rich +qtbase5-dev|(no description available)||qtbase5-dev --help|basic +radare2|Open-source reverse engineering command-line framework|Dynamically Reverse-Engineer Code > General|r2 specimen.exe|rich +rar|Extract RAR archives (including self-extracting RAR payloads)|General Utilities|rar x archive.rar|rich +re-search.py|Search the file for built-in regular expressions of common suspicious artifacts.|Examine Static Properties > General|re-search.py --help|standard +redress|Analyze stripped Go binaries to recover symbols, types, source structure, and integrate with Radare2.|Examine Static Properties > Go|redress --help|standard +refresh|(no description available)||refresh --help|basic +remnux-mcp-server|MCP server for using the REMnux malware analysis toolkit via AI assistants.|Use Artificial Intelligence|remnux-mcp-server --help|standard +remnux|(no description available)||remnux --help|basic +remove-app-icons|(no description available)||remove-app-icons --help|basic +rhino|(no description available)||rhino --help|basic +rsakeyfind|(no description available)||rsakeyfind --help|basic +rtfdump.py|Analyze RTF file structure, identify hex-encoded groups and embedded objects|Analyze Documents > Microsoft Office|rtfdump.py document.rtf|rich +ruby-dev|(no description available)||ruby-dev --help|basic +ruby|(no description available)||ruby --help|basic +runsc32|Execute extracted shellcode for dynamic analysis|Dynamically Reverse-Engineer Code > Shellcode|runsc32 -f shellcode.bin -o 0x3B -d qa.doc|rich +salt-minion|(no description available)||salt-minion --help|basic +sandfly-processdecloak|Find hidden processes on the local Linux system.|Investigate System Interactions|sandfly-processdecloak --help|standard +scalpel|Carve contents out of binary files, such as partitions.|Gather and Analyze Data|scalpel --help|standard +scdbgc|Shellcode emulator — analyze shellcode behavior through API-level emulation|Dynamically Reverse-Engineer Code > Shellcode|scdbgc /f shellcode.bin /s -1|rich +scite|Edit text files.|View or Edit Files|scite --help|standard +sets.py|Perform set operations on lines or bytes in text files.|Examine Static Properties > Deobfuscation|sets.py --help|standard +sharutils|(no description available)||sharutils --help|basic +shcode2exe|Convert raw shellcode to a Windows PE executable for analysis in disassemblers|Dynamically Reverse-Engineer Code > Shellcode|shcode2exe |rich +shellcode2exe-bat|Convert 32 and 64-bit shellcode to a Windows executable file.|Dynamically Reverse-Engineer Code > Shellcode|shellcode2exe-bat --help|standard +sift|(no description available)||sift --help|basic +signsrch|Find patterns of common encryption, compression, or encoding algorithms.|Examine Static Properties > General|signsrch --help|standard +sleuthkit|(no description available)||sleuthkit --help|basic +snapd|(no description available)||snapd --help|basic +snap|(no description available)||snap --help|basic +software-properties-common|(no description available)||software-properties-common --help|basic +sortcanon.py|Sort text files using canonicalization functions built into this tool.|General Utilities|sortcanon.py --help|standard +speakeasy|Windows binary emulator — emulates API calls to analyze malware behavior without native execution|Statically Analyze Code > PE Files|speakeasy -t specimen.exe -o report.json 2> report.txt|rich +ssdeep|Compute fuzzy hashes (CTPH) for finding similar files — useful for malware variant clustering|Examine Static Properties > General|ssdeep |rich +ssh|(no description available)||ssh --help|basic +ssview|Analyze OLE2 Structured Storage files.|Analyze Documents > Microsoft Office|ssview --help|standard +strace|(no description available)||strace --help|basic +strdeob.pl|Automatically decode stack-built strings from disassembled malware|Examine Static Properties > Deobfuscation|strdeob.pl specimen.exe|rich +strings|Extract printable ASCII and Unicode strings from binary files|Examine Static Properties > General|strings binary.exe|rich +subversion|(no description available)||subversion --help|basic +sudoers|(no description available)||sudoers --help|basic +sudo|(no description available)||sudo --help|basic +tcpdump|Command-line packet capture tool|Explore Network Interactions > Monitoring|tcpdump -i eth0 -w capture.pcap|rich +tcpflow|Extract and reassemble TCP streams from PCAP files into individual files|Explore Network Interactions > Monitoring|tcpflow -r -o output/|rich +tcpick|Capture and analyze network traffic with this command-line sniffer.|Explore Network Interactions > Monitoring|tcpick --help|standard +tcpxtract|Carve files from network traffic using file signatures|Explore Network Interactions > Monitoring|tcpxtract -f -o output/|rich +tesseract-ocr|Examine images to identify and extract text using optical character recognition (OCR).|Analyze Documents > General|tesseract-ocr --help|standard +texteditor.py|Edit text files from the command line using search-and-replace commands.|General Utilities|texteditor.py --help|standard +thefuzz|Fuzzy String Matching in Python.|Examine Static Properties > General|thefuzz --help|standard +time-decode|Decode and encode date and timestamps.|Gather and Analyze Data|time-decode --help|standard +torsocks|Route network traffic through the Tor anonymity network|network-analysis|torsocks curl http://example.onion|rich +tor|Obfuscate your origins by routing traffic through a network of anonymizing nodes.|Explore Network Interactions > Connecting|tor --help|standard +translate.py|Transform data using Python expressions (XOR, ADD, etc.)|Examine Static Properties > Deobfuscation|translate.py "byte ^ 35" < input.bin > output.bin|rich +trid|Identify file type by scanning binary signatures database|Examine Static Properties > General|trid document.doc|rich +tshark|Command-line interface to Wireshark for packet capture and analysis|Explore Network Interactions > Monitoring|tshark -r capture.pcap|rich +tzdata|(no description available)||tzdata --help|basic +ubuntu-universe|(no description available)||ubuntu-universe --help|basic +ubuntu|(no description available)||ubuntu --help|basic +uncompyle6|Decompile Python bytecode (.pyc) back to source — supports Python 1.0 through 3.8|Statically Analyze Code > Python|uncompyle6 |rich +unhide|Find hidden processes or connections on the local Linux system.|Investigate System Interactions|unhide --help|standard +unicode|Display Unicode character properties.|Examine Static Properties > Deobfuscation|unicode --help|standard +unxor|Deobfuscate XOR'ed files.|Examine Static Properties > Deobfuscation|unxor --help|standard +unzip|Extract ZIP archives containing malware samples|General Utilities|unzip -P infected sample.zip|rich +user|(no description available)||user --help|basic +vbindiff|Compare binary files.|View or Edit Files|vbindiff --help|standard +vim|(no description available)||vim --help|basic +virustotal-search|Search VirusTotal for file hashes.|Gather and Analyze Data|virustotal-search --help|standard +virustotal-submit|Submit files to VirusTotal.|Gather and Analyze Data|virustotal-submit --help|standard +volatility3|Memory forensics framework — analyze RAM dumps to find malware, hidden processes, network connections, and injected code|Perform Memory Forensics|vol3 -f windows.info|rich +vscode|(no description available)||vscode --help|basic +wget|Download files from HTTP/HTTPS/FTP servers|utilities|wget http://example.com/file.bin|rich +wireshark-dev|(no description available)||wireshark-dev --help|basic +wxhexeditor|Hex editor.|Examine Static Properties > General|wxhexeditor --help|standard +xdg-utils|(no description available)||xdg-utils --help|basic +xmldump.py|Extract contents of XML files, in particular OOXML-formatted Microsoft Office documents.|Analyze Documents > Microsoft Office|xmldump.py --help|standard +xmlstarlet|(no description available)||xmlstarlet --help|basic +xor-kpa.py|Implement a XOR known plaintext attack.|Examine Static Properties > Deobfuscation|xor-kpa.py --help|standard +xorbruteforcer|Bruteforce an XOR-encoded file.|Examine Static Properties > Deobfuscation|xorbruteforcer --help|standard +xorstrings|Search for XOR encoded strings in a file.|Examine Static Properties > Deobfuscation|xorstrings --help|standard +xortool|Analyze XOR-encoded data — guess key length and probable key bytes|Examine Static Properties > Deobfuscation|xortool |rich +xterm|(no description available)||xterm --help|basic +xxd|Create hex dump of a file or reverse a hex dump back to binary|utilities|xxd binary.exe|rich +yara-x|Scan files using YARA rules, the next generation of YARA written in Rust.|Gather and Analyze Data|yara-x --help|standard +yara|Pattern matching tool for identifying and classifying malware using custom rules|Examine Static Properties > General|yara-rules specimen.bin|rich +zbar-tools|(no description available)||zbar-tools --help|basic +zbarimg|Decode QR codes and barcodes from image files.|Explore Network Interactions > Connecting|zbarimg --help|standard +zipdump.py|Parse and analyze ZIP archive structure|Analyze Documents > Microsoft Office|zipdump.py archive.zip|rich +zlib1g-dev|(no description available)||zlib1g-dev --help|basic diff --git a/data/generated/tools.json b/data/generated/tools.json new file mode 100644 index 0000000..23e1d2e --- /dev/null +++ b/data/generated/tools.json @@ -0,0 +1,2938 @@ +{ + "tools": [ + { + "id": "pdfid-py", + "name": "pdfid.py", + "aliases": [ + "pdfid" + ], + "description": "Scan PDF files for suspicious keywords like /JavaScript, /OpenAction, /Launch without parsing", + "category": "pdf-analysis", + "platform": "linux", + "in_remnux": true, + "author": "Didier Stevens", + "labs": [ + "3.1" + ], + "typical_usage": [ + "pdfid.py document.pdf", + "pdfid.py -n document.pdf" + ], + "for610_sections": [ + 1, + 3 + ], + "tags": [ + "pdf", + "static-analysis", + "triage", + "didier-stevens" + ] + }, + { + "id": "pdf-parser-py", + "name": "pdf-parser.py", + "aliases": [ + "pdf-parser" + ], + "description": "Parse PDF structure, locate objects, extract content, and search for strings", + "category": "pdf-analysis", + "platform": "linux", + "in_remnux": true, + "author": "Didier Stevens", + "labs": [ + "3.1" + ], + "typical_usage": [ + "pdf-parser.py document.pdf -a", + "pdf-parser.py document.pdf -s /URI", + "pdf-parser.py document.pdf -k /URI", + "pdf-parser.py document.pdf -o 6 -d object6.jpg" + ], + "for610_sections": [ + 1, + 3 + ], + "tags": [ + "pdf", + "static-analysis", + "object-extraction", + "didier-stevens" + ] + }, + { + "id": "peepdf", + "name": "peepdf", + "aliases": [], + "description": "Interactive PDF analysis framework with JavaScript detection and exploitation capabilities", + "category": "pdf-analysis", + "platform": "linux", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "peepdf -i malicious.pdf", + "peepdf -f -i malicious.pdf" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "pdf", + "interactive", + "javascript-detection" + ] + }, + { + "id": "pdftool-py", + "name": "pdftool.py", + "aliases": [], + "description": "Analyze PDF incremental updates", + "category": "pdf-analysis", + "platform": "linux", + "in_remnux": true, + "author": "Didier Stevens", + "labs": [], + "typical_usage": [ + "pdftool.py document.pdf" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "pdf", + "didier-stevens" + ] + }, + { + "id": "pdfresurrect", + "name": "pdfresurrect", + "aliases": [], + "description": "Extract and analyze previous versions from PDF files", + "category": "pdf-analysis", + "platform": "linux", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "pdfresurrect document.pdf" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "pdf", + "versioning" + ] + }, + { + "id": "qpdf", + "name": "qpdf", + "aliases": [], + "description": "Decrypt, linearize, and transform PDF files \u2014 useful for removing password protection", + "category": "pdf-analysis", + "platform": "linux", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "qpdf --decrypt encrypted.pdf output.pdf" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "pdf", + "decryption", + "transformation" + ] + }, + { + "id": "pdftk", + "name": "pdftk", + "aliases": [], + "description": "Manipulate PDF files \u2014 merge, split, flatten, encrypt, and extract embedded content", + "category": "pdf-analysis", + "platform": "linux", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "pdftk input.pdf cat output output.pdf flatten", + "pdftk input.pdf unpack_files" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "pdf", + "manipulation", + "extraction" + ] + }, + { + "id": "oledump-py", + "name": "oledump.py", + "aliases": [ + "oledump" + ], + "description": "Analyze OLE2 files (Office documents), extract streams and VBA macros", + "category": "document-analysis", + "platform": "linux", + "in_remnux": true, + "author": "Didier Stevens", + "labs": [ + "3.3", + "3.4", + "4.5" + ], + "typical_usage": [ + "oledump.py document.docm", + "oledump.py document.docm -s A3 -v", + "oledump.py document.docm -i" + ], + "for610_sections": [ + 3, + 4 + ], + "tags": [ + "office", + "vba", + "macro", + "ole", + "didier-stevens" + ] + }, + { + "id": "olevba", + "name": "olevba", + "aliases": [], + "description": "Extract and analyze VBA macros from Office documents with deobfuscation", + "category": "document-analysis", + "platform": "linux", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "olevba document.docm", + "olevba --deobf document.docm" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "office", + "vba", + "macro", + "deobfuscation" + ] + }, + { + "id": "evilclippy", + "name": "evilclippy", + "aliases": [], + "description": "Remove VBA project password protection and manipulate Office macro settings", + "category": "document-analysis", + "platform": "both", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "evilclippy -uu document.docm" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "office", + "vba", + "password-removal" + ] + }, + { + "id": "rtfdump-py", + "name": "rtfdump.py", + "aliases": [ + "rtfdump" + ], + "description": "Analyze RTF file structure, identify hex-encoded groups and embedded objects", + "category": "document-analysis", + "platform": "linux", + "in_remnux": true, + "author": "Didier Stevens", + "labs": [ + "3.5" + ], + "typical_usage": [ + "rtfdump.py document.rtf", + "rtfdump.py document.rtf -s 5 -H -d > extracted.bin" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "rtf", + "document", + "didier-stevens" + ] + }, + { + "id": "base64dump-py", + "name": "base64dump.py", + "aliases": [ + "base64dump" + ], + "description": "Extract and decode Base64-encoded strings from files", + "category": "document-analysis", + "platform": "linux", + "in_remnux": true, + "author": "Didier Stevens", + "labs": [ + "3.4", + "4.5" + ], + "typical_usage": [ + "base64dump.py file.txt", + "base64dump.py file.ps1 -n 10", + "base64dump.py file.ps1 -s 2 -d" + ], + "for610_sections": [ + 3, + 4 + ], + "tags": [ + "base64", + "decoding", + "didier-stevens" + ] + }, + { + "id": "emldump-py", + "name": "emldump.py", + "aliases": [ + "emldump" + ], + "description": "Parse and analyze EML email message files", + "category": "document-analysis", + "platform": "linux", + "in_remnux": true, + "author": "Didier Stevens", + "labs": [], + "typical_usage": [ + "emldump.py message.eml" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "email", + "eml", + "didier-stevens" + ] + }, + { + "id": "zipdump-py", + "name": "zipdump.py", + "aliases": [ + "zipdump" + ], + "description": "Parse and analyze ZIP archive structure", + "category": "document-analysis", + "platform": "linux", + "in_remnux": true, + "author": "Didier Stevens", + "labs": [], + "typical_usage": [ + "zipdump.py archive.zip" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "zip", + "archive", + "didier-stevens" + ] + }, + { + "id": "numbers-to-string-py", + "name": "numbers-to-string.py", + "aliases": [], + "description": "Convert sequences of decimal numbers to readable characters", + "category": "document-analysis", + "platform": "linux", + "in_remnux": true, + "author": "Didier Stevens", + "labs": [ + "3.3" + ], + "typical_usage": [ + "oledump.py doc.docm -s A3 -v | numbers-to-string.py -j" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "decoding", + "deobfuscation", + "didier-stevens" + ] + }, + { + "id": "translate-py", + "name": "translate.py", + "aliases": [], + "description": "Transform data using Python expressions (XOR, ADD, etc.)", + "category": "document-analysis", + "platform": "linux", + "in_remnux": true, + "author": "Didier Stevens", + "labs": [ + "3.4" + ], + "typical_usage": [ + "translate.py \"byte ^ 35\" < input.bin > output.bin" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "xor", + "transformation", + "decoding", + "didier-stevens" + ] + }, + { + "id": "pestudio", + "name": "PeStudio", + "aliases": [], + "description": "GUI tool for examining static properties of PE files \u2014 imports, strings, sections, entropy, indicators", + "category": "static-analysis-pe", + "platform": "windows", + "in_remnux": false, + "labs": [ + "1.1", + "1.5", + "2.7", + "3.10", + "3.12", + "4.1", + "4.2", + "4.3", + "4.7", + "4.8", + "5.3", + "5.4", + "5.8", + "5.9", + "5.10" + ], + "typical_usage": [ + "pestudio.exe specimen.exe" + ], + "for610_sections": [ + 1, + 2, + 3, + 4, + 5 + ], + "tags": [ + "pe", + "static-analysis", + "imports", + "strings", + "entropy", + "triage" + ] + }, + { + "id": "peframe", + "name": "peframe", + "aliases": [], + "description": "Static analysis of PE files \u2014 extract properties, detect anomalies, identify packers", + "category": "static-analysis-pe", + "platform": "linux", + "in_remnux": true, + "labs": [ + "1.1", + "4.8" + ], + "typical_usage": [ + "peframe specimen.exe" + ], + "for610_sections": [ + 1, + 4 + ], + "tags": [ + "pe", + "static-analysis", + "triage" + ] + }, + { + "id": "pestr", + "name": "pestr", + "aliases": [], + "description": "Extract ASCII and Unicode strings from PE files", + "category": "static-analysis-pe", + "platform": "linux", + "in_remnux": true, + "labs": [ + "1.1", + "4.8" + ], + "typical_usage": [ + "pestr specimen.exe" + ], + "for610_sections": [ + 1, + 4 + ], + "tags": [ + "pe", + "strings", + "static-analysis" + ] + }, + { + "id": "strings", + "name": "strings", + "aliases": [], + "description": "Extract printable ASCII and Unicode strings from binary files", + "category": "static-analysis-pe", + "platform": "linux", + "in_remnux": true, + "labs": [ + "3.4", + "5.2" + ], + "typical_usage": [ + "strings binary.exe", + "strings -n 10 binary.exe", + "strings --encoding=l binary.exe" + ], + "for610_sections": [ + 1, + 3 + ], + "tags": [ + "strings", + "static-analysis", + "triage" + ] + }, + { + "id": "bytehist", + "name": "Bytehist", + "aliases": [], + "description": "Generate byte-usage histograms to visually identify packed or encrypted sections in binaries", + "category": "static-analysis-pe", + "platform": "both", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "bytehist specimen.exe" + ], + "for610_sections": [ + 1, + 4 + ], + "tags": [ + "pe", + "entropy", + "packing-detection", + "histogram" + ] + }, + { + "id": "diec", + "name": "diec", + "aliases": [ + "Detect It Easy", + "DIE" + ], + "description": "Detect packers, compilers, and tools used to create executables", + "category": "static-analysis-pe", + "platform": "both", + "in_remnux": true, + "labs": [ + "4.1" + ], + "typical_usage": [ + "diec specimen.exe" + ], + "for610_sections": [ + 1, + 4 + ], + "tags": [ + "pe", + "packer-detection", + "compiler-detection" + ] + }, + { + "id": "exeinfo-pe", + "name": "ExeInfo PE", + "aliases": [ + "ExeInfoPE", + "ExeInfo" + ], + "description": "Identify tools and packers used to create PE executables", + "category": "static-analysis-pe", + "platform": "windows", + "in_remnux": false, + "labs": [ + "3.12" + ], + "typical_usage": [ + "ExeInfoPE.exe specimen.exe" + ], + "for610_sections": [ + 1, + 3 + ], + "tags": [ + "pe", + "packer-detection" + ] + }, + { + "id": "cff-explorer", + "name": "CFF Explorer", + "aliases": [], + "description": "View and edit PE file headers, sections, imports, and resources", + "category": "static-analysis-pe", + "platform": "windows", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "CFF Explorer specimen.exe" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "pe", + "header-editing", + "resources" + ] + }, + { + "id": "file", + "name": "file", + "aliases": [], + "description": "Determine file type and MIME type using magic bytes", + "category": "static-analysis-pe", + "platform": "linux", + "in_remnux": true, + "labs": [ + "3.4", + "3.5" + ], + "typical_usage": [ + "file specimen.exe", + "file document.doc" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "file-identification", + "triage" + ] + }, + { + "id": "trid", + "name": "trid", + "aliases": [], + "description": "Identify file type by scanning binary signatures database", + "category": "static-analysis-pe", + "platform": "linux", + "in_remnux": true, + "labs": [ + "3.3", + "3.4" + ], + "typical_usage": [ + "trid document.doc" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "file-identification", + "triage" + ] + }, + { + "id": "exiftool", + "name": "exiftool", + "aliases": [], + "description": "Extract metadata from files (PDF, images, documents, executables)", + "category": "static-analysis-pe", + "platform": "linux", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "exiftool document.pdf", + "exiftool specimen.exe" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "metadata", + "triage" + ] + }, + { + "id": "system-informer", + "name": "System Informer", + "aliases": [ + "Process Hacker" + ], + "description": "Monitor processes, network connections, handles, and system resources in real time", + "category": "behavioral-analysis", + "platform": "windows", + "in_remnux": false, + "labs": [ + "1.2", + "1.3", + "1.6", + "1.7", + "1.8", + "4.2", + "4.5", + "5.1" + ], + "typical_usage": [ + "SystemInformer.exe" + ], + "for610_sections": [ + 1, + 4, + 5 + ], + "tags": [ + "process-monitoring", + "handles", + "network", + "real-time" + ] + }, + { + "id": "process-monitor", + "name": "Process Monitor", + "aliases": [ + "ProcMon", + "procmon" + ], + "description": "Record file system, registry, process, and thread activity in real time", + "category": "behavioral-analysis", + "platform": "windows", + "in_remnux": false, + "labs": [ + "1.2", + "4.5" + ], + "typical_usage": [ + "Procmon.exe" + ], + "for610_sections": [ + 1, + 4 + ], + "tags": [ + "filesystem", + "registry", + "process-monitoring", + "real-time" + ] + }, + { + "id": "regshot", + "name": "Regshot", + "aliases": [], + "description": "Take and compare registry/filesystem snapshots before and after infection", + "category": "behavioral-analysis", + "platform": "windows", + "in_remnux": false, + "labs": [ + "1.2" + ], + "typical_usage": [ + "Regshot-x64-Unicode.exe" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "registry", + "filesystem", + "snapshot", + "comparison" + ] + }, + { + "id": "procdot", + "name": "ProcDOT", + "aliases": [], + "description": "Visualize Process Monitor logs as interactive graphs for behavioral analysis", + "category": "behavioral-analysis", + "platform": "both", + "in_remnux": true, + "labs": [ + "1.2", + "4.5" + ], + "typical_usage": [ + "procdot" + ], + "for610_sections": [ + 1, + 4 + ], + "tags": [ + "visualization", + "process-monitor", + "behavioral" + ] + }, + { + "id": "autoruns", + "name": "Autoruns", + "aliases": [], + "description": "View and manage all autostart locations \u2014 startup programs, services, drivers, scheduled tasks", + "category": "behavioral-analysis", + "platform": "windows", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "Autoruns.exe" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "persistence", + "autostart", + "startup" + ] + }, + { + "id": "api-monitor", + "name": "API Monitor", + "aliases": [], + "description": "Monitor and record API calls made by processes", + "category": "behavioral-analysis", + "platform": "windows", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "apimonitor-x64.exe" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "api-calls", + "monitoring", + "dynamic-analysis" + ] + }, + { + "id": "tcplogview", + "name": "TcpLogView", + "aliases": [], + "description": "Log opened and closed TCP connections with process information", + "category": "behavioral-analysis", + "platform": "windows", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "TcpLogView.exe" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "network", + "tcp", + "connection-logging" + ] + }, + { + "id": "wireshark", + "name": "Wireshark", + "aliases": [], + "description": "GUI network protocol analyzer for capturing and inspecting packet-level traffic", + "category": "network-analysis", + "platform": "both", + "in_remnux": true, + "labs": [ + "1.2", + "1.3", + "1.6", + "1.7", + "1.8", + "5.1" + ], + "typical_usage": [ + "wireshark", + "wireshark -r capture.pcap" + ], + "for610_sections": [ + 1, + 5 + ], + "tags": [ + "packet-capture", + "protocol-analysis", + "network" + ] + }, + { + "id": "tshark", + "name": "tshark", + "aliases": [], + "description": "Command-line interface to Wireshark for packet capture and analysis", + "category": "network-analysis", + "platform": "both", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "tshark -r capture.pcap", + "tshark -i eth0 -w capture.pcap" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "packet-capture", + "cli", + "network" + ] + }, + { + "id": "tcpdump", + "name": "tcpdump", + "aliases": [], + "description": "Command-line packet capture tool", + "category": "network-analysis", + "platform": "linux", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "tcpdump -i eth0 -w capture.pcap", + "tcpdump -r capture.pcap" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "packet-capture", + "cli", + "network" + ] + }, + { + "id": "fiddler", + "name": "Fiddler", + "aliases": [], + "description": "HTTP/HTTPS debugging proxy for intercepting, inspecting, and modifying web traffic", + "category": "network-analysis", + "platform": "windows", + "in_remnux": false, + "labs": [ + "3.2", + "3.8", + "3.9", + "3.10", + "3.11", + "3.12", + "4.5" + ], + "typical_usage": [ + "Fiddler.exe" + ], + "for610_sections": [ + 3, + 4 + ], + "tags": [ + "http", + "https", + "proxy", + "web-traffic" + ] + }, + { + "id": "fakedns", + "name": "fakedns", + "aliases": [], + "description": "Fake DNS server that resolves all queries to a specified IP for traffic interception", + "category": "network-analysis", + "platform": "linux", + "in_remnux": true, + "labs": [ + "1.3", + "1.6", + "1.7", + "1.8" + ], + "typical_usage": [ + "fakedns" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "dns", + "spoofing", + "interception", + "lab-setup" + ] + }, + { + "id": "inetsim", + "name": "INetSim", + "aliases": [], + "description": "Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for malware analysis in isolated labs", + "category": "network-analysis", + "platform": "linux", + "in_remnux": true, + "labs": [ + "1.7" + ], + "typical_usage": [ + "inetsim" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "service-emulation", + "network-simulation", + "lab-setup" + ] + }, + { + "id": "httpd", + "name": "httpd", + "aliases": [ + "accept-all-ips" + ], + "description": "Simple HTTP server on REMnux for simulating C2 web servers", + "category": "network-analysis", + "platform": "linux", + "in_remnux": true, + "labs": [ + "1.3", + "1.6", + "1.8" + ], + "typical_usage": [ + "httpd" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "http", + "web-server", + "c2-simulation", + "lab-setup" + ] + }, + { + "id": "iptables", + "name": "iptables", + "aliases": [], + "description": "Linux firewall and NAT tool for redirecting IP-based malware traffic", + "category": "network-analysis", + "platform": "linux", + "in_remnux": true, + "labs": [ + "1.8" + ], + "typical_usage": [ + "iptables -t nat -A PREROUTING -i ens32 -j REDIRECT" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "firewall", + "nat", + "traffic-redirection" + ] + }, + { + "id": "netcat", + "name": "nc", + "aliases": [ + "netcat" + ], + "description": "Network utility for reading/writing data across TCP/UDP connections", + "category": "network-analysis", + "platform": "both", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "nc -l -p 3127", + "nc target_ip 80" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "network", + "tcp", + "listener" + ] + }, + { + "id": "nslookup", + "name": "nslookup", + "aliases": [], + "description": "DNS query tool for testing name resolution", + "category": "network-analysis", + "platform": "both", + "in_remnux": true, + "labs": [ + "1.3" + ], + "typical_usage": [ + "nslookup domain.com" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "dns", + "testing" + ] + }, + { + "id": "thug", + "name": "Thug", + "aliases": [], + "description": "Low-interaction honeyclient for analyzing malicious websites and drive-by downloads", + "category": "network-analysis", + "platform": "linux", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "thug -u win7chrome49 http://suspicious-site.com" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "honeyclient", + "web-analysis", + "drive-by" + ] + }, + { + "id": "burp-suite", + "name": "Burp Suite", + "aliases": [ + "Burp" + ], + "description": "Web application security proxy for intercepting and modifying HTTP/HTTPS traffic", + "category": "network-analysis", + "platform": "both", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "burpsuite" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "http", + "https", + "proxy", + "web-security" + ] + }, + { + "id": "torsocks", + "name": "torsocks", + "aliases": [], + "description": "Route network traffic through the Tor anonymity network", + "category": "network-analysis", + "platform": "linux", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "torsocks curl http://example.onion" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "tor", + "anonymity", + "network-routing" + ] + }, + { + "id": "ghidra", + "name": "Ghidra", + "aliases": [], + "description": "Open-source disassembler and decompiler from NSA with scripting, function graphs, and data type management", + "category": "code-analysis", + "platform": "both", + "in_remnux": true, + "labs": [ + "2.1", + "2.2", + "2.3", + "2.4", + "2.5", + "2.6", + "2.7", + "2.8", + "4.9", + "5.2", + "5.4", + "5.5", + "5.6", + "5.7", + "5.9" + ], + "typical_usage": [ + "ghidra" + ], + "for610_sections": [ + 2, + 4, + 5 + ], + "tags": [ + "disassembly", + "decompilation", + "code-analysis", + "function-graph" + ] + }, + { + "id": "ida", + "name": "IDA", + "aliases": [ + "IDA Pro", + "IDA Freeware" + ], + "description": "Commercial interactive disassembler and debugger from Hex-Rays", + "category": "code-analysis", + "platform": "both", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "ida64.exe specimen.exe" + ], + "for610_sections": [ + 2 + ], + "tags": [ + "disassembly", + "decompilation", + "commercial" + ] + }, + { + "id": "binary-ninja", + "name": "Binary Ninja", + "aliases": [], + "description": "Commercial disassembler with strong automated analysis and scripting", + "category": "code-analysis", + "platform": "both", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "binaryninja specimen.exe" + ], + "for610_sections": [ + 2 + ], + "tags": [ + "disassembly", + "commercial" + ] + }, + { + "id": "cutter", + "name": "Cutter", + "aliases": [], + "description": "Open-source reverse engineering platform \u2014 Qt-based GUI for radare2", + "category": "code-analysis", + "platform": "both", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "cutter specimen.exe" + ], + "for610_sections": [ + 2 + ], + "tags": [ + "disassembly", + "radare2", + "open-source" + ] + }, + { + "id": "radare2", + "name": "radare2", + "aliases": [ + "r2" + ], + "description": "Open-source reverse engineering command-line framework", + "category": "code-analysis", + "platform": "both", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "r2 specimen.exe" + ], + "for610_sections": [ + 2 + ], + "tags": [ + "disassembly", + "cli", + "open-source" + ] + }, + { + "id": "x64dbg", + "name": "x64dbg", + "aliases": [], + "description": "Open-source 64-bit debugger for dynamic malware analysis \u2014 breakpoints, memory inspection, patching", + "category": "debugging", + "platform": "windows", + "in_remnux": false, + "labs": [ + "1.5", + "4.3", + "4.4", + "5.1" + ], + "typical_usage": [ + "x64dbg.exe specimen.exe" + ], + "for610_sections": [ + 1, + 4, + 5 + ], + "tags": [ + "debugger", + "64-bit", + "dynamic-analysis", + "breakpoints" + ] + }, + { + "id": "x32dbg", + "name": "x32dbg", + "aliases": [], + "description": "Open-source 32-bit debugger for dynamic malware analysis \u2014 breakpoints, memory inspection, patching", + "category": "debugging", + "platform": "windows", + "in_remnux": false, + "labs": [ + "3.5", + "3.10", + "4.6", + "4.7", + "5.3", + "5.4", + "5.5", + "5.6", + "5.7", + "5.8", + "5.9", + "5.10" + ], + "typical_usage": [ + "x32dbg.exe specimen.exe" + ], + "for610_sections": [ + 3, + 4, + 5 + ], + "tags": [ + "debugger", + "32-bit", + "dynamic-analysis", + "breakpoints" + ] + }, + { + "id": "ollydbg", + "name": "OllyDbg", + "aliases": [], + "description": "Classic 32-bit debugger for Windows (legacy, predecessor to x32dbg)", + "category": "debugging", + "platform": "windows", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "ollydbg.exe specimen.exe" + ], + "for610_sections": [ + 4, + 5 + ], + "tags": [ + "debugger", + "32-bit", + "legacy" + ] + }, + { + "id": "windbg", + "name": "WinDbg", + "aliases": [], + "description": "Microsoft Windows debugger for kernel and user-mode debugging", + "category": "debugging", + "platform": "windows", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "windbg.exe specimen.exe" + ], + "for610_sections": [ + 2 + ], + "tags": [ + "debugger", + "kernel", + "microsoft" + ] + }, + { + "id": "speakeasy", + "name": "speakeasy", + "aliases": [], + "description": "Windows binary emulator \u2014 emulates API calls to analyze malware behavior without native execution", + "category": "emulation", + "platform": "linux", + "in_remnux": true, + "labs": [ + "1.4" + ], + "typical_usage": [ + "speakeasy -t specimen.exe -o report.json 2> report.txt", + "speakeasy -t shellcode.bin -r -a x86" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "emulation", + "api-calls", + "behavioral-analysis" + ] + }, + { + "id": "scdbgc", + "name": "scdbgc", + "aliases": [ + "scdbg" + ], + "description": "Shellcode emulator \u2014 analyze shellcode behavior through API-level emulation", + "category": "emulation", + "platform": "both", + "in_remnux": true, + "labs": [ + "3.4", + "3.5", + "4.6" + ], + "typical_usage": [ + "scdbgc /f shellcode.bin /s -1", + "scdbgc /f shellcode.bin /foff 0x3B /fopen qa.doc", + "scdbgc /f shellcode.bin /s -1 /norw" + ], + "for610_sections": [ + 3, + 4 + ], + "tags": [ + "shellcode", + "emulation", + "api-calls" + ] + }, + { + "id": "runsc32", + "name": "runsc32", + "aliases": [ + "runsc" + ], + "description": "Execute extracted shellcode for dynamic analysis", + "category": "emulation", + "platform": "windows", + "in_remnux": false, + "labs": [ + "3.5", + "4.6" + ], + "typical_usage": [ + "runsc32 -f shellcode.bin -o 0x3B -d qa.doc" + ], + "for610_sections": [ + 3, + 4 + ], + "tags": [ + "shellcode", + "execution", + "dynamic-analysis" + ] + }, + { + "id": "box-js", + "name": "box-js", + "aliases": [], + "description": "JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript APIs", + "category": "emulation", + "platform": "linux", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "box-js --output-dir=/tmp suspicious.js" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "javascript", + "sandbox", + "emulation" + ] + }, + { + "id": "upx", + "name": "UPX", + "aliases": [ + "upx" + ], + "description": "Universal Packer for eXecutables \u2014 compress and decompress PE files", + "category": "unpacking", + "platform": "both", + "in_remnux": true, + "labs": [ + "4.2" + ], + "typical_usage": [ + "upx -d packed.exe", + "upx -d packed.exe -o unpacked.exe" + ], + "for610_sections": [ + 4 + ], + "tags": [ + "packer", + "unpacker", + "compression" + ] + }, + { + "id": "scylla", + "name": "Scylla", + "aliases": [], + "description": "Dump processes from memory and reconstruct import address tables (IAT)", + "category": "unpacking", + "platform": "windows", + "in_remnux": false, + "labs": [ + "4.2", + "4.3", + "5.4", + "5.8", + "5.10" + ], + "typical_usage": [ + "Scylla x64 > Attach to process > Dump > IAT Autosearch > Fix Dump" + ], + "for610_sections": [ + 4, + 5 + ], + "tags": [ + "memory-dump", + "iat-reconstruction", + "unpacking" + ] + }, + { + "id": "ollydumpex", + "name": "OllyDumpEx", + "aliases": [], + "description": "x64dbg/x32dbg plugin for dumping unpacked process memory to disk", + "category": "unpacking", + "platform": "windows", + "in_remnux": false, + "labs": [ + "4.3", + "5.4", + "5.8" + ], + "typical_usage": [ + "Plugins > OllyDumpEx > Dump process" + ], + "for610_sections": [ + 4, + 5 + ], + "tags": [ + "memory-dump", + "x64dbg-plugin", + "unpacking" + ] + }, + { + "id": "pe-unmapper", + "name": "pe_unmapper", + "aliases": [], + "description": "Convert dumped PE from virtual memory alignment to raw disk alignment", + "category": "unpacking", + "platform": "windows", + "in_remnux": false, + "labs": [ + "5.10" + ], + "typical_usage": [ + "pe_unmapper /in dumped.exe /base 400000 /out fixed.exe" + ], + "for610_sections": [ + 5 + ], + "tags": [ + "pe-fixup", + "memory-dump", + "alignment" + ] + }, + { + "id": "setdllcharacteristics", + "name": "setdllcharacteristics", + "aliases": [], + "description": "Modify PE header flags \u2014 commonly used to disable ASLR (DynamicBase)", + "category": "unpacking", + "platform": "windows", + "in_remnux": false, + "author": "Didier Stevens", + "labs": [ + "4.2" + ], + "typical_usage": [ + "setdllcharacteristics -d specimen.exe" + ], + "for610_sections": [ + 4 + ], + "tags": [ + "pe-header", + "aslr", + "didier-stevens" + ] + }, + { + "id": "ilspy", + "name": "ILSpy", + "aliases": [], + "description": ".NET assembly decompiler \u2014 view C#/VB.NET source from compiled .NET binaries", + "category": "dotnet-analysis", + "platform": "windows", + "in_remnux": false, + "labs": [ + "3.12", + "4.8" + ], + "typical_usage": [ + "ILSpy.exe assembly.exe" + ], + "for610_sections": [ + 3, + 4 + ], + "tags": [ + "dotnet", + "decompiler", + "csharp" + ] + }, + { + "id": "ilspycmd", + "name": "ilspycmd", + "aliases": [], + "description": "Command-line .NET decompiler (CLI version of ILSpy)", + "category": "dotnet-analysis", + "platform": "linux", + "in_remnux": true, + "labs": [ + "4.8" + ], + "typical_usage": [ + "ilspycmd assembly.exe > decompiled.cs" + ], + "for610_sections": [ + 4 + ], + "tags": [ + "dotnet", + "decompiler", + "cli" + ] + }, + { + "id": "dnspyex", + "name": "dnSpyEx", + "aliases": [ + "dnSpy" + ], + "description": ".NET debugger and decompiler \u2014 debug obfuscated/packed .NET malware with breakpoints", + "category": "dotnet-analysis", + "platform": "windows", + "in_remnux": false, + "labs": [ + "4.8" + ], + "typical_usage": [ + "dnSpyEx.exe assembly.exe" + ], + "for610_sections": [ + 4 + ], + "tags": [ + "dotnet", + "debugger", + "decompiler" + ] + }, + { + "id": "de4dot", + "name": "de4dot", + "aliases": [], + "description": ".NET deobfuscator \u2014 remove obfuscation from .NET assemblies", + "category": "dotnet-analysis", + "platform": "both", + "in_remnux": true, + "labs": [ + "4.8" + ], + "typical_usage": [ + "de4dot obfuscated.exe" + ], + "for610_sections": [ + 4 + ], + "tags": [ + "dotnet", + "deobfuscation" + ] + }, + { + "id": "dotpeek", + "name": "dotPeek", + "aliases": [], + "description": "Free JetBrains .NET decompiler \u2014 alternative to ILSpy for viewing .NET source", + "category": "dotnet-analysis", + "platform": "windows", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "dotPeek.exe assembly.exe" + ], + "for610_sections": [ + 4 + ], + "tags": [ + "dotnet", + "decompiler", + "jetbrains" + ] + }, + { + "id": "dotdumper", + "name": "DotDumper", + "aliases": [], + "description": "Execution monitor and memory extractor for automatic .NET malware unpacking", + "category": "dotnet-analysis", + "platform": "windows", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "DotDumper.exe -file chatroom.exe" + ], + "for610_sections": [ + 4 + ], + "tags": [ + "dotnet", + "unpacking", + "memory-extraction", + "automated" + ] + }, + { + "id": "spidermonkey", + "name": "SpiderMonkey", + "aliases": [ + "js" + ], + "description": "Mozilla JavaScript engine \u2014 execute and deobfuscate malicious JavaScript outside a browser", + "category": "javascript-analysis", + "platform": "linux", + "in_remnux": true, + "labs": [ + "3.6", + "3.7", + "4.5" + ], + "typical_usage": [ + "js -f malicious.js", + "js -f /usr/share/remnux/objects.js -f malicious.js > decoded.js" + ], + "for610_sections": [ + 3, + 4 + ], + "tags": [ + "javascript", + "deobfuscation", + "execution" + ] + }, + { + "id": "js-beautify", + "name": "js-beautify", + "aliases": [], + "description": "Format and beautify obfuscated JavaScript code for readability", + "category": "javascript-analysis", + "platform": "linux", + "in_remnux": true, + "labs": [ + "3.6", + "4.5" + ], + "typical_usage": [ + "js-beautify malicious.js > beautified.js" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "javascript", + "formatting", + "readability" + ] + }, + { + "id": "cscript", + "name": "CScript", + "aliases": [ + "cscript.exe" + ], + "description": "Windows Script Host command-line \u2014 execute JScript/VBScript for AMSI monitoring", + "category": "javascript-analysis", + "platform": "windows", + "in_remnux": false, + "labs": [ + "3.6" + ], + "typical_usage": [ + "cscript malicious.js" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "javascript", + "vbscript", + "windows-script-host" + ] + }, + { + "id": "powershell-ise", + "name": "PowerShell ISE", + "aliases": [ + "powershell_ise" + ], + "description": "PowerShell Integrated Scripting Environment \u2014 debug scripts with breakpoints and variable inspection", + "category": "powershell-analysis", + "platform": "windows", + "in_remnux": false, + "labs": [ + "3.9", + "3.11", + "4.5" + ], + "typical_usage": [ + "powershell_ise script.ps1" + ], + "for610_sections": [ + 3, + 4 + ], + "tags": [ + "powershell", + "debugger", + "script-analysis" + ] + }, + { + "id": "logman", + "name": "logman", + "aliases": [], + "description": "Windows Event Trace session manager \u2014 enable AMSI script content logging", + "category": "powershell-analysis", + "platform": "windows", + "in_remnux": false, + "labs": [ + "3.6" + ], + "typical_usage": [ + "logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets", + "logman stop AMSITrace -ets" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "amsi", + "event-tracing", + "monitoring" + ] + }, + { + "id": "amsiscriptcontentretrieval", + "name": "AMSIScriptContentRetrieval", + "aliases": [], + "description": "Extract monitored script content from AMSI Event Trace logs", + "category": "powershell-analysis", + "platform": "windows", + "in_remnux": false, + "labs": [ + "3.6" + ], + "typical_usage": [ + "AMSIScriptContentRetrieval AMSITrace.etl > output.txt" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "amsi", + "script-extraction" + ] + }, + { + "id": "floss", + "name": "FLOSS", + "aliases": [ + "floss" + ], + "description": "Automatically extract obfuscated strings from malware using static analysis, stack strings, and emulation", + "category": "string-deobfuscation", + "platform": "both", + "in_remnux": true, + "labs": [ + "5.2", + "5.3" + ], + "typical_usage": [ + "floss specimen.exe", + "floss specimen.exe > strings-output.txt", + "floss --no-static -- specimen.exe" + ], + "for610_sections": [ + 5 + ], + "tags": [ + "strings", + "deobfuscation", + "automated" + ] + }, + { + "id": "xorsearch", + "name": "XORSearch", + "aliases": [], + "description": "Search for XOR/ROL/ROT/SHIFT-encoded patterns including shellcode signatures", + "category": "string-deobfuscation", + "platform": "linux", + "in_remnux": true, + "author": "Didier Stevens", + "labs": [ + "3.5", + "5.2" + ], + "typical_usage": [ + "XORSearch -W -d 3 file.bin", + "XORSearch -i -s specimen.exe http:" + ], + "for610_sections": [ + 3, + 5 + ], + "tags": [ + "xor", + "shellcode-detection", + "pattern-search", + "didier-stevens" + ] + }, + { + "id": "brxor-py", + "name": "brxor.py", + "aliases": [], + "description": "Brute-force XOR key detection for single-byte XOR-encoded strings", + "category": "string-deobfuscation", + "platform": "linux", + "in_remnux": true, + "labs": [ + "5.2" + ], + "typical_usage": [ + "brxor.py specimen.dll" + ], + "for610_sections": [ + 5 + ], + "tags": [ + "xor", + "brute-force", + "deobfuscation" + ] + }, + { + "id": "bbcrack", + "name": "bbcrack", + "aliases": [], + "description": "Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms", + "category": "string-deobfuscation", + "platform": "linux", + "in_remnux": true, + "labs": [ + "5.2" + ], + "typical_usage": [ + "bbcrack -l 1 specimen.dll" + ], + "for610_sections": [ + 5 + ], + "tags": [ + "xor", + "rol", + "add", + "deobfuscation", + "balbuzard" + ] + }, + { + "id": "strdeob-pl", + "name": "strdeob.pl", + "aliases": [], + "description": "Automatically decode stack-built strings from disassembled malware", + "category": "string-deobfuscation", + "platform": "linux", + "in_remnux": true, + "labs": [ + "5.2" + ], + "typical_usage": [ + "strdeob.pl specimen.exe" + ], + "for610_sections": [ + 5 + ], + "tags": [ + "stack-strings", + "deobfuscation" + ] + }, + { + "id": "cyberchef", + "name": "CyberChef", + "aliases": [], + "description": "Web-based data transformation tool \u2014 decode Base64, XOR, hex, decompress, and chain operations", + "category": "string-deobfuscation", + "platform": "both", + "in_remnux": true, + "labs": [ + "1.5", + "3.8", + "3.12" + ], + "typical_usage": [ + "cyberchef" + ], + "for610_sections": [ + 1, + 3 + ], + "tags": [ + "decoding", + "encoding", + "transformation", + "web-based" + ] + }, + { + "id": "capa", + "name": "capa", + "aliases": [], + "description": "Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog", + "category": "yara-detection", + "platform": "both", + "in_remnux": true, + "labs": [ + "1.4", + "5.4" + ], + "typical_usage": [ + "capa specimen.exe", + "capa -vv specimen.exe", + "capa -vv specimen.exe | grep -A7 'Suspended Process'" + ], + "for610_sections": [ + 1, + 5 + ], + "tags": [ + "capabilities", + "mitre-attack", + "automated-analysis" + ] + }, + { + "id": "yara", + "name": "yara", + "aliases": [ + "yara-rules" + ], + "description": "Pattern matching tool for identifying and classifying malware using custom rules", + "category": "yara-detection", + "platform": "both", + "in_remnux": true, + "labs": [ + "3.4" + ], + "typical_usage": [ + "yara-rules specimen.bin", + "yara rule.yar specimen.exe" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "pattern-matching", + "classification", + "rules" + ] + }, + { + "id": "1768-py", + "name": "1768.py", + "aliases": [], + "description": "Parse Cobalt Strike beacon configuration from shellcode or memory dumps", + "category": "yara-detection", + "platform": "linux", + "in_remnux": true, + "author": "Didier Stevens", + "labs": [ + "3.4" + ], + "typical_usage": [ + "1768.py shellcode.bin" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "cobalt-strike", + "beacon", + "c2-config", + "didier-stevens" + ] + }, + { + "id": "scyllahide", + "name": "ScyllaHide", + "aliases": [], + "description": "x64dbg/x32dbg plugin to hide debugger presence from anti-debugging checks", + "category": "anti-analysis", + "platform": "windows", + "in_remnux": false, + "labs": [ + "5.3", + "5.6" + ], + "typical_usage": [ + "Plugins > ScyllaHide > Options > Enable all" + ], + "for610_sections": [ + 5 + ], + "tags": [ + "anti-debugging", + "debugger-hiding", + "x64dbg-plugin" + ] + }, + { + "id": "xanalyzer", + "name": "xAnalyzer", + "aliases": [], + "description": "x32dbg plugin providing extended analysis \u2014 API parameter names and types in disassembly", + "category": "anti-analysis", + "platform": "windows", + "in_remnux": false, + "labs": [ + "5.10" + ], + "typical_usage": [ + "Plugins > xAnalyzer" + ], + "for610_sections": [ + 5 + ], + "tags": [ + "x32dbg-plugin", + "analysis-enhancement" + ] + }, + { + "id": "virustotal", + "name": "VirusTotal", + "aliases": [ + "VT" + ], + "description": "Multi-engine antivirus scanning, behavioral analysis, and threat intelligence", + "category": "online-platforms", + "platform": "online", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "https://virustotal.com" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "scanning", + "multi-engine", + "threat-intel" + ] + }, + { + "id": "hybrid-analysis", + "name": "Hybrid Analysis", + "aliases": [], + "description": "CrowdStrike automated sandbox for malware detonation and behavioral reporting", + "category": "online-platforms", + "platform": "online", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "https://hybrid-analysis.com" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "sandbox", + "behavioral", + "crowdstrike" + ] + }, + { + "id": "any-run", + "name": "Any.run", + "aliases": [], + "description": "Interactive online malware analysis sandbox with real-time process monitoring", + "category": "online-platforms", + "platform": "online", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "https://any.run" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "sandbox", + "interactive", + "real-time" + ] + }, + { + "id": "cape-sandbox", + "name": "CAPE Sandbox", + "aliases": [ + "CAPE" + ], + "description": "Automated malware analysis sandbox with payload extraction and config dumping", + "category": "online-platforms", + "platform": "online", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "https://capesandbox.com" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "sandbox", + "automated", + "payload-extraction" + ] + }, + { + "id": "malwarebazaar", + "name": "MalwareBazaar", + "aliases": [], + "description": "Malware sample sharing platform by abuse.ch", + "category": "online-platforms", + "platform": "online", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "https://bazaar.abuse.ch" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "sample-sharing", + "repository" + ] + }, + { + "id": "intezer-analyze", + "name": "Intezer Analyze", + "aliases": [], + "description": "Automated code analysis platform for malware classification using code reuse detection", + "category": "online-platforms", + "platform": "online", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "https://analyze.intezer.com" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "code-reuse", + "classification", + "automated" + ] + }, + { + "id": "filescan-io", + "name": "FileScan.IO", + "aliases": [], + "description": "Online malware analysis sandbox with multi-format support", + "category": "online-platforms", + "platform": "online", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "https://filescan.io" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "sandbox", + "online" + ] + }, + { + "id": "urlscan-io", + "name": "urlscan.io", + "aliases": [], + "description": "Website and URL investigation service \u2014 screenshots, DOM analysis, network requests", + "category": "online-platforms", + "platform": "online", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "https://urlscan.io" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "url-analysis", + "website-investigation" + ] + }, + { + "id": "shodan", + "name": "Shodan", + "aliases": [], + "description": "Search engine for internet-connected devices and exposed services", + "category": "online-platforms", + "platform": "online", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "https://shodan.io" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "infrastructure", + "reconnaissance" + ] + }, + { + "id": "otx", + "name": "Open Threat Exchange", + "aliases": [ + "OTX", + "LevelBlue Labs" + ], + "description": "Threat intelligence sharing platform for indicators of compromise", + "category": "online-platforms", + "platform": "online", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "https://otx.alienvault.com" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "threat-intel", + "ioc-sharing" + ] + }, + { + "id": "threatfox", + "name": "ThreatFox", + "aliases": [], + "description": "Threat intelligence platform for sharing IOCs associated with malware", + "category": "online-platforms", + "platform": "online", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "https://threatfox.abuse.ch" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "threat-intel", + "ioc-sharing", + "abuse-ch" + ] + }, + { + "id": "securitytrails", + "name": "SecurityTrails", + "aliases": [], + "description": "Historical DNS records and IP/domain intelligence", + "category": "online-platforms", + "platform": "online", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "https://securitytrails.com" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "dns-history", + "domain-intel" + ] + }, + { + "id": "unpacme", + "name": "UnpacMe", + "aliases": [], + "description": "Automated online malware unpacking service", + "category": "online-platforms", + "platform": "online", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "https://www.unpac.me" + ], + "for610_sections": [ + 4 + ], + "tags": [ + "unpacking", + "automated", + "online" + ] + }, + { + "id": "vmware-workstation", + "name": "VMware Workstation Pro", + "aliases": [ + "VMware" + ], + "description": "Desktop hypervisor for running isolated analysis VMs with snapshots and host-only networking", + "category": "virtualization", + "platform": "both", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "vmware" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "hypervisor", + "vm", + "isolation" + ] + }, + { + "id": "vmware-fusion", + "name": "VMware Fusion", + "aliases": [], + "description": "macOS hypervisor for running analysis virtual machines", + "category": "virtualization", + "platform": "both", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "VMware Fusion.app" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "hypervisor", + "macos" + ] + }, + { + "id": "virtualbox", + "name": "VirtualBox", + "aliases": [], + "description": "Open-source hypervisor for running analysis virtual machines", + "category": "virtualization", + "platform": "both", + "in_remnux": false, + "labs": [], + "typical_usage": [ + "VirtualBox" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "hypervisor", + "open-source" + ] + }, + { + "id": "visual-studio-code", + "name": "Visual Studio Code", + "aliases": [ + "code", + "VS Code" + ], + "description": "Code editor used for viewing decompiled output, scripts, and analysis results", + "category": "utilities", + "platform": "both", + "in_remnux": true, + "labs": [ + "1.3", + "1.4", + "1.5", + "3.3", + "3.6", + "3.7", + "4.5", + "4.8", + "5.2", + "5.3" + ], + "typical_usage": [ + "code filename.js" + ], + "for610_sections": [ + 1, + 3, + 4, + 5 + ], + "tags": [ + "editor", + "code-viewer" + ] + }, + { + "id": "notepadpp", + "name": "Notepad++", + "aliases": [], + "description": "Advanced Windows text editor with syntax highlighting for script analysis", + "category": "utilities", + "platform": "windows", + "in_remnux": false, + "labs": [ + "3.6", + "3.8", + "3.9", + "3.10", + "3.11", + "3.12", + "4.5" + ], + "typical_usage": [ + "notepad++ script.ps1" + ], + "for610_sections": [ + 3, + 4 + ], + "tags": [ + "editor", + "windows" + ] + }, + { + "id": "jq", + "name": "jq", + "aliases": [], + "description": "Command-line JSON processor for extracting and transforming structured data", + "category": "utilities", + "platform": "linux", + "in_remnux": true, + "labs": [ + "1.4" + ], + "typical_usage": [ + "cat report.json | jq '.apis'", + "jq -r '.entry' report.json" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "json", + "data-processing" + ] + }, + { + "id": "feh", + "name": "feh", + "aliases": [], + "description": "Lightweight image viewer for viewing extracted images from documents", + "category": "utilities", + "platform": "linux", + "in_remnux": true, + "labs": [ + "3.1" + ], + "typical_usage": [ + "feh extracted_image.jpg" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "image-viewer" + ] + }, + { + "id": "winscp", + "name": "WinSCP", + "aliases": [], + "description": "Windows SCP/SFTP client for transferring files between Windows and Linux VMs", + "category": "utilities", + "platform": "windows", + "in_remnux": false, + "labs": [ + "4.5" + ], + "typical_usage": [ + "WinSCP.exe" + ], + "for610_sections": [ + 4 + ], + "tags": [ + "file-transfer", + "scp" + ] + }, + { + "id": "wine", + "name": "Wine", + "aliases": [], + "description": "Windows compatibility layer \u2014 run Windows executables on Linux", + "category": "utilities", + "platform": "linux", + "in_remnux": true, + "labs": [ + "3.5" + ], + "typical_usage": [ + "wine program.exe" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "windows-compat", + "execution" + ] + }, + { + "id": "unzip", + "name": "unzip", + "aliases": [], + "description": "Extract ZIP archives containing malware samples", + "category": "utilities", + "platform": "linux", + "in_remnux": true, + "labs": [ + "1.1", + "3.1", + "3.3", + "3.4", + "3.5", + "3.6", + "3.7", + "4.1", + "4.8", + "5.2", + "5.3", + "5.4" + ], + "typical_usage": [ + "unzip -P infected sample.zip" + ], + "for610_sections": [ + 1, + 3, + 4, + 5 + ], + "tags": [ + "archive", + "extraction" + ] + }, + { + "id": "gunzip", + "name": "gunzip", + "aliases": [], + "description": "Decompress gzip-compressed data (often used in multi-stage payload extraction)", + "category": "utilities", + "platform": "linux", + "in_remnux": true, + "labs": [ + "3.4" + ], + "typical_usage": [ + "gunzip -c compressed.gz > output.bin" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "compression", + "extraction" + ] + }, + { + "id": "rar", + "name": "rar", + "aliases": [ + "unrar" + ], + "description": "Extract RAR archives (including self-extracting RAR payloads)", + "category": "utilities", + "platform": "both", + "in_remnux": true, + "labs": [ + "3.5" + ], + "typical_usage": [ + "rar x archive.rar" + ], + "for610_sections": [ + 3 + ], + "tags": [ + "archive", + "extraction" + ] + }, + { + "id": "hexdump", + "name": "hexdump", + "aliases": [], + "description": "Display file content in hexadecimal format", + "category": "utilities", + "platform": "linux", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "hexdump -C binary.dat" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "hex", + "binary-viewing" + ] + }, + { + "id": "xxd", + "name": "xxd", + "aliases": [], + "description": "Create hex dump of a file or reverse a hex dump back to binary", + "category": "utilities", + "platform": "linux", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "xxd binary.exe", + "xxd -r hexdump.txt > binary.exe" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "hex", + "binary-conversion" + ] + }, + { + "id": "binwalk", + "name": "binwalk", + "aliases": [], + "description": "Analyze and extract embedded files and firmware images", + "category": "utilities", + "platform": "linux", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "binwalk firmware.bin", + "binwalk -e firmware.bin" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "firmware", + "extraction", + "embedded-files" + ] + }, + { + "id": "wget", + "name": "wget", + "aliases": [], + "description": "Download files from HTTP/HTTPS/FTP servers", + "category": "utilities", + "platform": "linux", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "wget http://example.com/file.bin" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "download", + "http" + ] + }, + { + "id": "curl", + "name": "curl", + "aliases": [], + "description": "Transfer data to/from servers using various protocols", + "category": "utilities", + "platform": "linux", + "in_remnux": true, + "labs": [], + "typical_usage": [ + "curl -L http://example.com", + "curl -o output.bin http://example.com/file" + ], + "for610_sections": [ + 1 + ], + "tags": [ + "download", + "http", + "transfer" + ] + }, + { + "id": "reg-export", + "name": "reg_export", + "aliases": [], + "description": "Extract registry key values to files \u2014 used to recover malware artifacts stored in registry", + "category": "utilities", + "platform": "windows", + "in_remnux": false, + "author": "Adam Kramer", + "labs": [ + "4.5" + ], + "typical_usage": [ + "reg_export HKCU\\software\\keyname valuename output.js" + ], + "for610_sections": [ + 4 + ], + "tags": [ + "registry", + "extraction", + "windows" + ] + }, + { + "id": "regedit", + "name": "Regedit", + "aliases": [], + "description": "Windows Registry Editor for browsing and modifying registry keys", + "category": "utilities", + "platform": "windows", + "in_remnux": false, + "labs": [ + "4.5" + ], + "typical_usage": [ + "regedit.exe" + ], + "for610_sections": [ + 4 + ], + "tags": [ + "registry", + "windows" + ] + } + ] +} \ No newline at end of file diff --git a/data/generated/workflows.json b/data/generated/workflows.json new file mode 100644 index 0000000..0dafb23 --- /dev/null +++ b/data/generated/workflows.json @@ -0,0 +1,553 @@ +{ + "workflows": [ + { + "id": "static-analysis-workflow", + "name": "Static Properties Analysis", + "description": "Systematic static examination of a suspicious executable without running it", + "steps": [ + { + "order": 1, + "name": "File Identification", + "tools": [ + "file", + "trid", + "exiftool" + ], + "description": "Determine file type, format, and metadata" + }, + { + "order": 2, + "name": "Packing & Entropy Check", + "tools": [ + "diec", + "pestudio", + "peframe" + ], + "description": "Check for packing indicators, high entropy, and suspicious section names" + }, + { + "order": 3, + "name": "String Extraction", + "tools": [ + "pestr", + "strings", + "floss" + ], + "description": "Extract readable strings; use FLOSS for obfuscated strings" + }, + { + "order": 4, + "name": "Import & Capability Analysis", + "tools": [ + "pestudio", + "peframe", + "capa" + ], + "description": "Examine imported APIs, detect capabilities via MITRE ATT&CK mapping" + }, + { + "order": 5, + "name": "Disassembly & Decompilation", + "tools": [ + "ghidra" + ], + "description": "Static code analysis \u2014 function graphs, cross-references, decompiler output" + } + ], + "related_labs": [ + "1.1", + "2.1", + "4.1" + ], + "tags": [ + "static", + "triage", + "pe-analysis" + ] + }, + { + "id": "behavioral-analysis-workflow", + "name": "Behavioral Analysis", + "description": "Monitor malware runtime behavior in a controlled environment", + "steps": [ + { + "order": 1, + "name": "Environment Preparation", + "tools": [], + "description": "Revert to clean VM snapshot, prepare monitoring tools" + }, + { + "order": 2, + "name": "Baseline Snapshot", + "tools": [ + "regshot" + ], + "description": "Capture registry and filesystem state before infection" + }, + { + "order": 3, + "name": "Launch Monitoring", + "tools": [ + "system-informer", + "process-monitor", + "wireshark" + ], + "description": "Start process, filesystem, registry, and network monitoring" + }, + { + "order": 4, + "name": "Execute Malware", + "tools": [], + "description": "Run specimen and allow it to execute for 1-2 minutes" + }, + { + "order": 5, + "name": "Capture Comparison", + "tools": [ + "regshot" + ], + "description": "Compare post-infection state with baseline" + }, + { + "order": 6, + "name": "Log Analysis", + "tools": [ + "procdot", + "wireshark" + ], + "description": "Analyze Process Monitor logs with ProcDOT, examine network traffic in Wireshark" + } + ], + "related_labs": [ + "1.2", + "1.6", + "4.5" + ], + "tags": [ + "behavioral", + "monitoring", + "dynamic-analysis" + ] + }, + { + "id": "network-interception-workflow", + "name": "Network Interception", + "description": "Redirect and analyze malware network traffic in an isolated lab", + "steps": [ + { + "order": 1, + "name": "DNS Spoofing", + "tools": [ + "fakedns" + ], + "description": "Start fake DNS server to redirect all queries to REMnux" + }, + { + "order": 2, + "name": "Service Emulation", + "tools": [ + "httpd", + "inetsim" + ], + "description": "Start web server or INetSim to respond to malware requests" + }, + { + "order": 3, + "name": "Traffic Capture", + "tools": [ + "wireshark" + ], + "description": "Start packet capture on analysis interface" + }, + { + "order": 4, + "name": "Execute & Observe", + "tools": [ + "system-informer" + ], + "description": "Run malware and monitor process behavior" + }, + { + "order": 5, + "name": "Protocol Analysis", + "tools": [ + "wireshark" + ], + "description": "Follow TCP streams, analyze HTTP requests, extract payloads" + }, + { + "order": 6, + "name": "IP-Based Redirection (if needed)", + "tools": [ + "iptables" + ], + "description": "Use iptables NAT rules for direct IP-based C2 traffic" + } + ], + "related_labs": [ + "1.3", + "1.7", + "1.8" + ], + "tags": [ + "network", + "interception", + "c2-analysis" + ] + }, + { + "id": "document-analysis-workflow", + "name": "Malicious Document Analysis", + "description": "Analyze Office documents, RTF files, and PDFs for embedded malware", + "steps": [ + { + "order": 1, + "name": "Format Identification", + "tools": [ + "file", + "trid" + ], + "description": "Identify document format (OLE2, OOXML, RTF, PDF)" + }, + { + "order": 2, + "name": "Structure Extraction", + "tools": [ + "oledump-py", + "rtfdump-py", + "pdfid-py", + "pdf-parser-py" + ], + "description": "Parse document structure \u2014 streams, objects, groups" + }, + { + "order": 3, + "name": "Macro/Script Extraction", + "tools": [ + "oledump-py", + "olevba" + ], + "description": "Extract VBA macros, identify macro streams (M indicator)" + }, + { + "order": 4, + "name": "Payload Decoding", + "tools": [ + "base64dump-py", + "translate-py", + "gunzip", + "numbers-to-string-py" + ], + "description": "Decode embedded payloads \u2014 Base64, XOR, gzip chains" + }, + { + "order": 5, + "name": "Shellcode Analysis", + "tools": [ + "scdbgc", + "xorsearch", + "yara", + "1768-py" + ], + "description": "Emulate shellcode, scan for patterns, check for Cobalt Strike" + } + ], + "related_labs": [ + "3.1", + "3.3", + "3.4", + "3.5" + ], + "tags": [ + "documents", + "office", + "pdf", + "rtf", + "macro" + ] + }, + { + "id": "javascript-deobfuscation-workflow", + "name": "JavaScript Deobfuscation", + "description": "Deobfuscate and analyze malicious JavaScript", + "steps": [ + { + "order": 1, + "name": "Beautification", + "tools": [ + "js-beautify" + ], + "description": "Format compressed/minified JavaScript for readability" + }, + { + "order": 2, + "name": "Static Review", + "tools": [ + "visual-studio-code" + ], + "description": "Identify eval() calls, string concatenation, and encoding patterns" + }, + { + "order": 3, + "name": "SpiderMonkey Execution", + "tools": [ + "spidermonkey" + ], + "description": "Execute with objects.js to simulate ActiveXObject and other APIs" + }, + { + "order": 4, + "name": "Environment Customization", + "tools": [ + "visual-studio-code" + ], + "description": "Edit objects.js to set location.href and other expected variables" + }, + { + "order": 5, + "name": "AMSI Monitoring (Windows)", + "tools": [ + "logman", + "cscript", + "amsiscriptcontentretrieval" + ], + "description": "Enable AMSI tracing, execute with CScript, extract monitored content" + } + ], + "related_labs": [ + "3.6", + "3.7" + ], + "tags": [ + "javascript", + "deobfuscation", + "spidermonkey", + "amsi" + ] + }, + { + "id": "unpacking-workflow", + "name": "Unpacking Packed Executables", + "description": "Unpack compressed/encrypted executables and reconstruct valid PE files", + "steps": [ + { + "order": 1, + "name": "Packing Identification", + "tools": [ + "pestudio", + "diec", + "peframe" + ], + "description": "Detect packer via entropy, sections, and signature matching" + }, + { + "order": 2, + "name": "Automated Unpacking Attempt", + "tools": [ + "upx" + ], + "description": "Try automated unpacker if packer is recognized" + }, + { + "order": 3, + "name": "Debugger-Based Unpacking", + "tools": [ + "x64dbg", + "x32dbg" + ], + "description": "Set breakpoints at unpacker tail jump or API calls (VirtualAlloc, VirtualProtect)" + }, + { + "order": 4, + "name": "Anti-Anti-Debugging", + "tools": [ + "scyllahide" + ], + "description": "Enable debugger hiding if malware has anti-debugging" + }, + { + "order": 5, + "name": "Memory Dumping", + "tools": [ + "ollydumpex", + "scylla" + ], + "description": "Dump unpacked process from memory at OEP" + }, + { + "order": 6, + "name": "IAT Reconstruction", + "tools": [ + "scylla" + ], + "description": "Fix import address table in dumped executable" + }, + { + "order": 7, + "name": "PE Fixup (if needed)", + "tools": [ + "pe-unmapper" + ], + "description": "Convert virtual alignment to raw alignment" + }, + { + "order": 8, + "name": "Verification", + "tools": [ + "pestudio", + "strings" + ], + "description": "Verify unpacked file has readable strings and valid imports" + } + ], + "related_labs": [ + "4.1", + "4.2", + "4.3", + "5.3", + "5.8", + "5.10" + ], + "tags": [ + "unpacking", + "packing", + "iat", + "memory-dump" + ] + }, + { + "id": "code-injection-workflow", + "name": "Code Injection Analysis", + "description": "Identify and analyze code injection techniques", + "steps": [ + { + "order": 1, + "name": "Capability Detection", + "tools": [ + "capa" + ], + "description": "Identify injection capabilities via MITRE ATT&CK mapping" + }, + { + "order": 2, + "name": "API Identification", + "tools": [ + "ghidra" + ], + "description": "Locate CreateRemoteThread, VirtualAllocEx, WriteProcessMemory, NtUnmapViewOfSection" + }, + { + "order": 3, + "name": "Target Process Analysis", + "tools": [ + "ghidra" + ], + "description": "Identify target process via OpenProcess, CreateToolhelp32Snapshot" + }, + { + "order": 4, + "name": "Injection Verification", + "tools": [ + "x32dbg" + ], + "description": "Set breakpoint on WriteProcessMemory to capture injected code" + }, + { + "order": 5, + "name": "Payload Extraction", + "tools": [ + "x32dbg", + "pestudio" + ], + "description": "Dump injected PE from memory and verify" + } + ], + "related_labs": [ + "4.9", + "5.4" + ], + "tags": [ + "code-injection", + "process-hollowing", + "api-analysis" + ] + }, + { + "id": "dotnet-analysis-workflow", + "name": ".NET Malware Analysis", + "description": "Analyze .NET malware using decompilation, debugging, and deobfuscation", + "steps": [ + { + "order": 1, + "name": "Identification", + "tools": [ + "pestudio", + "peframe", + "exeinfo-pe" + ], + "description": "Confirm .NET binary and check for obfuscation indicators" + }, + { + "order": 2, + "name": "Static Decompilation", + "tools": [ + "ilspycmd", + "ilspy" + ], + "description": "Decompile to view C#/VB.NET source code" + }, + { + "order": 3, + "name": "Reflective Loading Detection", + "tools": [ + "visual-studio-code" + ], + "description": "Search for Assembly.Load, CompileAssemblyFromSource patterns" + }, + { + "order": 4, + "name": "Dynamic Debugging", + "tools": [ + "dnspyex" + ], + "description": "Set breakpoints on Assembly.Load to capture in-memory assemblies" + }, + { + "order": 5, + "name": "Payload Extraction", + "tools": [ + "dnspyex" + ], + "description": "Save byte arrays from Locals window" + }, + { + "order": 6, + "name": "Deobfuscation", + "tools": [ + "de4dot" + ], + "description": "Remove .NET obfuscation from extracted assemblies" + }, + { + "order": 7, + "name": "Final Analysis", + "tools": [ + "ilspy", + "pestudio" + ], + "description": "Decompile and examine clean assembly" + } + ], + "related_labs": [ + "3.12", + "4.8" + ], + "tags": [ + "dotnet", + "decompilation", + "deobfuscation", + "reflective-loading" + ] + } + ] +} \ No newline at end of file diff --git a/data/generated/workflows/android-analysis-workflow.txt b/data/generated/workflows/android-analysis-workflow.txt new file mode 100644 index 0000000..eda924d --- /dev/null +++ b/data/generated/workflows/android-analysis-workflow.txt @@ -0,0 +1,68 @@ +============================================================ + Android Malware Analysis +============================================================ + + Analyze suspicious Android APK files using static and dynamic techniques available in REMnux. + +──────────────────────────────────────────────────────────── + + Step 1: APK Triage + Tools: file, apkid + Verify file type and check for packers/obfuscators. + APKiD detects: known packers (DexGuard, Bangcle), + obfuscators, anti-debug techniques. + + $ file specimen.exe + + Step 2: Manifest Analysis + Tools: apktool + Decompile APK: apktool d -o output/. Examine + AndroidManifest.xml for: excessive permissions, + receivers, services, exported components, intent + filters. + + $ apktool d -o output/ + + Step 3: Source Code Recovery + Tools: jadx + Decompile DEX to Java: jadx -d output/. Review + source code for: C2 URLs, crypto operations, SMS + interception, data exfiltration, root checks. + + $ jadx -d output/ + + Step 4: Static Analysis + Tools: androguard, droidlysis + androguard: analyze APK structure, permissions, + activities. droidlysis: automated static analysis with + IOC extraction. Check for: hardcoded keys, URLs, + suspicious API usage. + + $ androguard analyze + + Step 5: Native Library Analysis + Tools: strings, radare2 + If APK contains .so libraries: extract from lib/ + directory. Analyze with strings and radare2. Native + code often hides C2 logic and crypto. + + $ strings binary.exe + $ r2 specimen.exe + + Step 6: Dynamic Instrumentation + Tools: frida + Hook suspicious functions at runtime: frida -U -l + hook.js . Intercept: crypto operations, + network calls, file access, SMS operations. + + $ frida -l hook.js + + Step 7: Document Findings + Record: package name, permissions abused, C2 + infrastructure, data exfiltrated, persistence + mechanism, targeted user data (SMS, contacts, + location). + +──────────────────────────────────────────────────────────── + Tip: 'fhelp cheat ' for full examples + 'Ctrl+G' for interactive cheatsheet browser diff --git a/data/generated/workflows/behavioral-analysis-workflow.txt b/data/generated/workflows/behavioral-analysis-workflow.txt new file mode 100644 index 0000000..534ceb1 --- /dev/null +++ b/data/generated/workflows/behavioral-analysis-workflow.txt @@ -0,0 +1,66 @@ +============================================================ + Behavioral Analysis +============================================================ + + Monitor runtime behavior in an isolated environment. Applicable to any executable or script on Linux (REMnux) or Windows. + + Related FOR610 Labs: 1.2, 1.4, 1.6, 4.5 + +──────────────────────────────────────────────────────────── + + Step 1: Environment Preparation + Revert to clean snapshot. Disconnect from production + network. Verify isolation (host-only networking). Set + max execution time (2-5 minutes). + + Step 2: Network Interception Setup + Tools: fakedns, inetsim, fakenet-ng + Start fake DNS and service emulation so malware gets + responses. On REMnux: fakedns for DNS, INetSim or + FakeNet-NG for HTTP/HTTPS/SMTP/FTP. + + $ fakedns + $ inetsim + $ fakenet + + Step 3: Monitoring Setup + Tools: wireshark, tcpdump, strace + Start packet capture (wireshark or tcpdump). On Linux: + strace/ltrace for syscalls. Start filesystem + monitoring. + + $ wireshark + $ tcpdump -i eth0 -w capture.pcap + + Step 4: Emulation (Safe Alternative) + Tools: speakeasy, capa + Before live execution, try emulation: speakeasy + emulates Windows API calls on Linux safely. Use capa + -vv for capability overview. + + $ speakeasy -t specimen.exe -o report.json 2> report.txt + $ capa specimen.exe + + Step 5: Execute & Monitor + Run the sample with a timeout. Monitor for: new + processes spawned, files created/modified, network + connections, DNS queries. Kill after 2-5 minutes. + + Step 6: Analyze Results + Tools: wireshark, procdot + Review network capture: follow TCP streams, extract + payloads, identify C2 patterns. Analyze process + activity logs. Map filesystem changes. + + $ wireshark + $ procdot + + Step 7: Extract IOCs + Document: contacted domains/IPs, created + files/registry keys, spawned processes, persistence + mechanisms. Classify behavior: downloader, backdoor, + ransomware, etc. + +──────────────────────────────────────────────────────────── + Tip: 'fhelp cheat ' for full examples + 'Ctrl+G' for interactive cheatsheet browser diff --git a/data/generated/workflows/cobalt-strike-workflow.txt b/data/generated/workflows/cobalt-strike-workflow.txt new file mode 100644 index 0000000..a2c7df2 --- /dev/null +++ b/data/generated/workflows/cobalt-strike-workflow.txt @@ -0,0 +1,69 @@ +============================================================ + Cobalt Strike Analysis +============================================================ + + Analyze Cobalt Strike beacons, configurations, and network traffic using Didier Stevens' CS toolkit on REMnux. + + Related FOR610 Labs: 3.4 + +──────────────────────────────────────────────────────────── + + Step 1: Beacon Detection + Tools: yara, capa + Scan suspect file with YARA rules for CS signatures. + capa detects 'receive data from C2' and beacon-like + capabilities. Check for: characteristic 200KB+ size, + sleep patterns. + + $ yara-rules specimen.bin + $ capa specimen.exe + + Step 2: Configuration Extraction + Tools: 1768-py + Parse beacon config: 1768.py . Extracts: C2 + URLs, user-agent, beacon interval, watermark, spawn-to + process, named pipes, proxy config. + + $ 1768.py shellcode.bin + + Step 3: Metadata Decryption + Tools: cs-decrypt-metadata-py + Decrypt beacon metadata from network captures: cs- + decrypt-metadata.py . Reveals: computer + name, user, process info sent to team server. + + $ cs-decrypt-metadata.py + + Step 4: Key Extraction + Tools: cs-extract-key-py + Extract encryption keys: cs-extract-key.py -f + . Recovers AES and HMAC keys used for C2 + communication encryption. + + $ cs-extract-key.py -f + + Step 5: Traffic Decryption + Tools: cs-parse-traffic-py + Decrypt C2 traffic: cs-parse-traffic.py -f -k + . Reveals: tasking commands, downloaded + payloads, exfiltrated data. + + $ cs-parse-traffic.py -f -k + + Step 6: Sleep Mask Analysis + Tools: cs-analyze-processdump-py + Analyze sleep mask: cs-analyze-processdump.py . + Detects if beacon encrypts itself in memory during + sleep. Useful for memory forensics. + + $ cs-analyze-processdump.py + + Step 7: Document Findings + Record: C2 domains/IPs, beacon interval, watermark + (operator ID), user-agent strings, named pipe + patterns, spawn-to process, malleable C2 profile + indicators. + +──────────────────────────────────────────────────────────── + Tip: 'fhelp cheat ' for full examples + 'Ctrl+G' for interactive cheatsheet browser diff --git a/data/generated/workflows/code-injection-workflow.txt b/data/generated/workflows/code-injection-workflow.txt new file mode 100644 index 0000000..2a7390c --- /dev/null +++ b/data/generated/workflows/code-injection-workflow.txt @@ -0,0 +1,83 @@ +============================================================ + Code Injection Analysis +============================================================ + + Identify and analyze process injection techniques including DLL injection, process hollowing, and reflective loading. + + Related FOR610 Labs: 4.9, 5.4 + +──────────────────────────────────────────────────────────── + + Step 1: Capability Detection + Tools: capa + Run capa to identify injection techniques. Look for: + 'inject code', 'create suspended process', 'allocate + RWX memory'. Note MITRE ATT&CK technique IDs. + + $ capa specimen.exe + + Step 2: Injection Type Classification + Tools: ghidra, cutter + Identify which technique: Classic DLL injection + (LoadLibrary), Process Hollowing (CreateProcess + SUSPENDED + NtUnmapViewOfSection), Reflective DLL + (manual PE loading), APC injection (QueueUserAPC). + + $ ghidra + $ cutter specimen.exe + + Step 3: Target Process Analysis + Tools: ghidra + How does malware choose its target? Look for: + CreateToolhelp32Snapshot + Process32First/Next + (enumeration), hardcoded process names (svchost.exe, + explorer.exe), OpenProcess calls. + + $ ghidra + + Step 4: Payload Identification + Tools: ghidra + What gets injected? Trace data flow to + WriteProcessMemory or NtWriteVirtualMemory. Is it: + embedded PE, shellcode, encrypted blob? Check size and + content. + + $ ghidra + + Step 5: Memory Allocation Analysis + Tools: ghidra + Examine VirtualAllocEx parameters: size (hints at + payload type), protection flags + (PAGE_EXECUTE_READWRITE = 0x40 = suspicious). + Allocation address for base relocation. + + $ ghidra + + Step 6: Injection Verification [W] + Tools: x32dbg, x64dbg + Set breakpoint on WriteProcessMemory. When hit: + examine lpBuffer (injected data), nSize (payload + size). Dump the buffer to file for separate analysis. + + $ x32dbg.exe specimen.exe + $ x64dbg.exe specimen.exe + + Step 7: Extracted Payload Analysis + Tools: peframe, capa, strings + Analyze the injected payload as standalone file. Route + to: Static Analysis Workflow (if PE), Shellcode + Workflow (if shellcode), .NET Workflow (if .NET + assembly). + + $ peframe specimen.exe + $ capa specimen.exe + $ strings binary.exe + + Step 8: Document Technique + Record: injection technique, target process criteria, + payload type and hash, API call sequence, memory + protection flags. Map to MITRE ATT&CK (T1055.x). + +──────────────────────────────────────────────────────────── + Tip: 'fhelp cheat ' for full examples + 'Ctrl+G' for interactive cheatsheet browser diff --git a/data/generated/workflows/document-analysis-workflow.txt b/data/generated/workflows/document-analysis-workflow.txt new file mode 100644 index 0000000..553bebe --- /dev/null +++ b/data/generated/workflows/document-analysis-workflow.txt @@ -0,0 +1,84 @@ +============================================================ + Malicious Document Analysis +============================================================ + + Analyze suspicious documents (PDF, Office, RTF, OneNote) for embedded malware, macros, and exploits. Follows Zeltser's 6-step methodology. + + Related FOR610 Labs: 3.1, 3.3, 3.4, 3.5 + +──────────────────────────────────────────────────────────── + + Step 1: Format Identification + Tools: file, trid + Identify true format: OLE2 (legacy Office), OOXML + (modern Office), RTF, PDF, OneNote. Don't trust the + file extension — use magic bytes. + + $ file specimen.exe + $ trid document.doc + + Step 2: Structure Analysis + Tools: oledump-py, rtfdump-py, pdfid-py, pdf-parser-py, onedump-py + Parse document internals. For Office: oledump.py to + list streams (M = macro). For PDF: pdfid.py for risky + keywords (/JavaScript, /OpenAction). For RTF: + rtfdump.py for hex-heavy groups. + + $ oledump.py document.docm + $ rtfdump.py document.rtf + $ pdfid.py document.pdf + $ pdf-parser.py document.pdf -a + + Step 3: Password Handling (if encrypted) + Tools: msoffcrypto-tool + If document is password-protected: msoffcrypto-tool -p + . Common passwords: + infected, malware, password, 123456. + + $ msoffcrypto-tool -p infected + + Step 4: Macro/Script Extraction + Tools: oledump-py, olevba, pcode2code, XLMMacroDeobfuscator + Extract VBA: oledump.py -s -v. For p-code: + pcode2code. For Excel 4.0 macros: + XLMMacroDeobfuscator. Check olevba for auto-execute + triggers (AutoOpen, Document_Open). + + $ oledump.py document.docm + $ olevba document.docm + $ pcode2code + $ xlmdeobfuscator --file + + Step 5: Payload Decoding + Tools: base64dump-py, translate-py, gunzip, numbers-to-string-py, cyberchef + Decode embedded payloads. Common chains: Base64 → + gunzip → XOR. Use CyberChef for visual multi-step + decoding. translate.py for byte-level transforms (byte + ^ key). + + $ base64dump.py file.txt + $ translate.py "byte ^ 35" < input.bin > output.bin + $ gunzip -c compressed.gz > output.bin + $ oledump.py doc.docm -s A3 -v | numbers-to-string.py -j + $ cyberchef + + Step 6: Embedded Object Analysis + Tools: scdbgc, xorsearch, yara, 1768-py + If shellcode found: emulate with scdbgc. Scan for + known patterns (YARA). Check for Cobalt Strike beacons + (1768.py). Route PE payloads to Static Analysis + Workflow. + + $ scdbgc /f shellcode.bin /s -1 + $ XORSearch -W -d 3 file.bin + $ yara-rules specimen.bin + $ 1768.py shellcode.bin + + Step 7: Document IOCs + Record: embedded URLs, downloaded payload hashes, C2 + addresses, macro behavior (what APIs called), exploit + type (CVE if applicable). + +──────────────────────────────────────────────────────────── + Tip: 'fhelp cheat ' for full examples + 'Ctrl+G' for interactive cheatsheet browser diff --git a/data/generated/workflows/dotnet-analysis-workflow.txt b/data/generated/workflows/dotnet-analysis-workflow.txt new file mode 100644 index 0000000..e2a6aa9 --- /dev/null +++ b/data/generated/workflows/dotnet-analysis-workflow.txt @@ -0,0 +1,81 @@ +============================================================ + .NET Malware Analysis +============================================================ + + Analyze .NET malware using decompilation, debugging, and deobfuscation. Works for .NET Framework, .NET Core, and mixed-mode assemblies. + + Related FOR610 Labs: 3.12, 4.8 + +──────────────────────────────────────────────────────────── + + Step 1: Identification & Metadata + Tools: peframe, diec, dnfile, dotnetfile + Confirm .NET binary (peframe shows 'CLR'). Check + runtime version (.NET 2/4/Core). Use dnfile or + dotnetfile for .NET-specific metadata. Note entry + point and referenced assemblies. + + $ peframe specimen.exe + $ diec specimen.exe + + Step 2: Obfuscator Detection + Tools: diec, de4dot + Detect obfuscator: DIE identifies ConfuserEx, Eziriz + .NET Reactor, Babel, etc. de4dot -d reports + detected obfuscator without modifying the file. + + $ diec specimen.exe + $ de4dot obfuscated.exe + + Step 3: Decompilation + Tools: ilspycmd, monodis + Decompile to C# source: ilspycmd > output.cs. + On REMnux use ilspycmd (CLI). Examine: Main() entry, + suspicious class/method names, embedded resources. + + $ ilspycmd assembly.exe > decompiled.cs + + Step 4: Dynamic Loading Detection + Tools: visual-studio-code + Search decompiled code for: Assembly.Load(byte[]), + Assembly.LoadFrom(), Activator.CreateInstance(), + MethodInfo.Invoke(), CSharpCodeProvider. These + indicate runtime code loading. + + $ code filename.js + + Step 5: Deobfuscation + Tools: de4dot + Run: de4dot -o . If de4dot fails: try + with --dont-rename flag, or manually rename obfuscated + symbols. For ConfuserEx: de4dot handles most variants. + + $ de4dot obfuscated.exe + + Step 6: Dynamic Debugging [W] + Tools: dnspyex + If static analysis insufficient: load in dnSpyEx, set + breakpoint on Assembly.Load or suspicious method. Run + and inspect Locals window for decrypted payloads. Save + byte[] arrays to disk. + + $ dnSpyEx.exe assembly.exe + + Step 7: Extracted Payload Analysis + Tools: ilspycmd, peframe + Analyze extracted payload: is it another .NET + assembly? (recurse this workflow). Is it a PE file? + (route to Static Analysis). Document the unpacking + chain. + + $ ilspycmd assembly.exe > decompiled.cs + $ peframe specimen.exe + + Step 8: Document Findings + Record: obfuscator type, .NET version, loading + mechanism, payload hashes, C2 endpoints found in + decompiled code, encryption keys/algorithms. + +──────────────────────────────────────────────────────────── + Tip: 'fhelp cheat ' for full examples + 'Ctrl+G' for interactive cheatsheet browser diff --git a/data/generated/workflows/email-analysis-workflow.txt b/data/generated/workflows/email-analysis-workflow.txt new file mode 100644 index 0000000..0d62f3a --- /dev/null +++ b/data/generated/workflows/email-analysis-workflow.txt @@ -0,0 +1,59 @@ +============================================================ + Email & Phishing Analysis +============================================================ + + Analyze suspicious email messages for phishing indicators, malicious attachments, and weaponized links. + +──────────────────────────────────────────────────────────── + + Step 1: Header Analysis + Tools: emldump-py, mail-parser + Parse SMTP headers: emldump.py . Check: + Received headers (delivery path), Return-Path vs From + (spoofing), SPF/DKIM results, X-Mailer. + + $ emldump.py message.eml + $ python3 -c "import mailparser; mail = mailparser.parse_from_file(''); print(mail.subject)" + + Step 2: Attachment Extraction + Tools: emldump-py, msg-extractor + Extract attachments: emldump.py -d. For + MSG format: msg-extractor . List all + attachments with types and sizes. + + $ emldump.py message.eml + $ extract_msg + + Step 3: Attachment Triage + Tools: file, trid, yara, sha256sum + For each attachment: identify type, compute hash, scan + with YARA. Route to appropriate workflow: Document + Analysis (Office/PDF), Static Analysis (PE), + JavaScript Deobfuscation (JS/HTML). + + $ file specimen.exe + $ trid document.doc + $ yara-rules specimen.bin + + Step 4: Link Analysis + Tools: unfurl + Extract all URLs from email body and headers. Use + Unfurl to decompose URLs (reveal tracking pixels, + redirect chains, encoded parameters). + + $ unfurl parse + + Step 5: Payload Analysis + Analyze extracted attachments using the appropriate + workflow. Common patterns: Office doc with macro → + downloads PE, PDF with link → credential harvester, + HTML attachment → phishing page. + + Step 6: Document IOCs + Record: sender address and IP, subject line, + attachment names and hashes, all URLs, C2/phishing + domains, email infrastructure (mail server names). + +──────────────────────────────────────────────────────────── + Tip: 'fhelp cheat ' for full examples + 'Ctrl+G' for interactive cheatsheet browser diff --git a/data/generated/workflows/index.txt b/data/generated/workflows/index.txt new file mode 100644 index 0000000..c7e2b68 --- /dev/null +++ b/data/generated/workflows/index.txt @@ -0,0 +1,95 @@ +============================================================ + Available Analysis Workflows +============================================================ + + static-analysis-workflow + Static Properties Analysis + Systematic static examination of a suspicious file + without executing it. Works for PE, ELF, .NET, + scripts, and documents. + + behavioral-analysis-workflow + Behavioral Analysis + Monitor runtime behavior in an isolated environment. + Applicable to any executable or script on Linux + (REMnux) or Windows. + + network-interception-workflow + Network Traffic Interception + Redirect and analyze malware network traffic in an + isolated REMnux environment. Covers DNS, HTTP, + HTTPS, and raw IP interception. + + document-analysis-workflow + Malicious Document Analysis + Analyze suspicious documents (PDF, Office, RTF, + OneNote) for embedded malware, macros, and exploits. + Follows Zeltser's 6-step methodology. + + javascript-deobfuscation-workflow + JavaScript Deobfuscation + Deobfuscate and analyze malicious JavaScript from + web pages, email attachments, or document macros. + + unpacking-workflow + Unpacking Packed Executables + Unpack compressed, encrypted, or obfuscated + executables to reveal the original code. Covers + automated and manual techniques. + + code-injection-workflow + Code Injection Analysis + Identify and analyze process injection techniques + including DLL injection, process hollowing, and + reflective loading. + + dotnet-analysis-workflow + .NET Malware Analysis + Analyze .NET malware using decompilation, debugging, + and deobfuscation. Works for .NET Framework, .NET + Core, and mixed-mode assemblies. + + shellcode-analysis-workflow + Shellcode Analysis + Analyze extracted shellcode from documents, + exploits, or injected processes. Covers detection, + emulation, and payload identification. + + string-deobfuscation-workflow + String & Data Deobfuscation + Decode obfuscated strings and data in malware. + Covers XOR, Base64, stack strings, custom + algorithms, and multi-layer encoding. + + memory-forensics-workflow + Memory Forensics + Analyze memory dumps to find malware artifacts, + injected code, and hidden processes. Uses Volatility + 3 framework on REMnux. + + android-analysis-workflow + Android Malware Analysis + Analyze suspicious Android APK files using static + and dynamic techniques available in REMnux. + + java-analysis-workflow + Java Malware Analysis + Analyze malicious Java archives (JAR), applets, and + compiled classes. Covers decompilation and code + analysis. + + email-analysis-workflow + Email & Phishing Analysis + Analyze suspicious email messages for phishing + indicators, malicious attachments, and weaponized + links. + + cobalt-strike-workflow + Cobalt Strike Analysis + Analyze Cobalt Strike beacons, configurations, and + network traffic using Didier Stevens' CS toolkit on + REMnux. + +──────────────────────────────────────────────────────────── + Usage: fhelp workflow + Example: fhelp workflow static-analysis diff --git a/data/generated/workflows/java-analysis-workflow.txt b/data/generated/workflows/java-analysis-workflow.txt new file mode 100644 index 0000000..775a1a5 --- /dev/null +++ b/data/generated/workflows/java-analysis-workflow.txt @@ -0,0 +1,60 @@ +============================================================ + Java Malware Analysis +============================================================ + + Analyze malicious Java archives (JAR), applets, and compiled classes. Covers decompilation and code analysis. + +──────────────────────────────────────────────────────────── + + Step 1: Archive Inspection + Tools: unzip, file + Extract JAR contents: unzip -d output/. + Examine META-INF/MANIFEST.MF for Main-Class entry + point. List all .class files. + + $ unzip -P infected sample.zip + $ file specimen.exe + + Step 2: Decompilation + Tools: cfr, jd-gui + Decompile with CFR: cfr --outputdir + output/. Or use JD-GUI for visual browsing. CFR + handles modern Java (lambdas, try-with-resources) + better. + + $ cfr --outputdir output/ + $ jd-gui + + Step 3: Multi-Decompiler Comparison + Tools: cfr, procyon + If one decompiler fails on a class: try Procyon. + Compare outputs. Some obfuscators break specific + decompilers while others handle them fine. + + $ cfr --outputdir output/ + + Step 4: Code Analysis + Tools: visual-studio-code + Review decompiled source. Search for: Runtime.exec() + (command execution), URLConnection (network), Cipher + (crypto), File I/O operations, reflection + (Class.forName). + + $ code filename.js + + Step 5: Resource Extraction + Tools: strings + Extract embedded resources and strings. Check for: + encoded payloads in resources, config files, embedded + binaries. Base64-encoded content is common. + + $ strings binary.exe + + Step 6: Document Findings + Record: entry point class, malicious methods, + URLs/IPs, downloaded payloads, commands executed, Java + version requirements. + +──────────────────────────────────────────────────────────── + Tip: 'fhelp cheat ' for full examples + 'Ctrl+G' for interactive cheatsheet browser diff --git a/data/generated/workflows/javascript-deobfuscation-workflow.txt b/data/generated/workflows/javascript-deobfuscation-workflow.txt new file mode 100644 index 0000000..743a6c8 --- /dev/null +++ b/data/generated/workflows/javascript-deobfuscation-workflow.txt @@ -0,0 +1,61 @@ +============================================================ + JavaScript Deobfuscation +============================================================ + + Deobfuscate and analyze malicious JavaScript from web pages, email attachments, or document macros. + + Related FOR610 Labs: 3.6, 3.7 + +──────────────────────────────────────────────────────────── + + Step 1: Beautification + Tools: js-beautify + Format minified/compressed JavaScript for readability. + Look for: eval() calls, document.write(), + String.fromCharCode(), unescape(), atob(). + + $ js-beautify malicious.js > beautified.js + + Step 2: Static Review + Tools: visual-studio-code + Identify obfuscation layers. Search for: eval/Function + constructor (code execution), long encoded strings, + variable name patterns (single chars = likely + obfuscated). + + $ code filename.js + + Step 3: Safe Execution (SpiderMonkey) + Tools: spidermonkey + Execute outside browser with objects.js to simulate + browser/WScript APIs. Command: js -f + /usr/share/remnux/objects.js -f . Captures + eval'd code without running it. + + $ js -f malicious.js + + Step 4: Environment Tuning + Tools: visual-studio-code + If script expects specific environment (location.href, + navigator.userAgent): edit objects.js to provide + expected values. Re-run SpiderMonkey. + + $ code filename.js + + Step 5: Alternative Analysis + Tools: box-js, jstillery + box-js: Node.js sandbox with WScript emulation. + JStillery: AST-based deobfuscation. Use when + SpiderMonkey can't handle the obfuscation. + + $ box-js --output-dir=/tmp suspicious.js + + Step 6: Payload Identification + What does the deobfuscated JS do? Common patterns: + download & execute (dropper), redirect to exploit kit, + credential harvesting. Extract all URLs, IPs, file + paths. + +──────────────────────────────────────────────────────────── + Tip: 'fhelp cheat ' for full examples + 'Ctrl+G' for interactive cheatsheet browser diff --git a/data/generated/workflows/memory-forensics-workflow.txt b/data/generated/workflows/memory-forensics-workflow.txt new file mode 100644 index 0000000..51823a2 --- /dev/null +++ b/data/generated/workflows/memory-forensics-workflow.txt @@ -0,0 +1,81 @@ +============================================================ + Memory Forensics +============================================================ + + Analyze memory dumps to find malware artifacts, injected code, and hidden processes. Uses Volatility 3 framework on REMnux. + +──────────────────────────────────────────────────────────── + + Step 1: Image Identification + Tools: volatility3 + Determine OS and profile: vol3 -f windows.info + (or linux.info). Verify image is valid and identify OS + version, build, architecture. + + $ vol3 -f windows.info + + Step 2: Process Analysis + Tools: volatility3 + List processes: vol3 -f windows.pslist / + windows.pstree. Look for: suspicious names, unusual + parent-child relationships, processes with no window + title, duplicate system processes. + + $ vol3 -f windows.info + + Step 3: Network Connections + Tools: volatility3 + List connections: vol3 -f windows.netscan. + Identify: C2 connections, unusual ports, connections + to known-bad IPs. Cross-reference with process PIDs. + + $ vol3 -f windows.info + + Step 4: Injection Detection + Tools: volatility3 + Detect injected code: vol3 -f windows.malfind. + Shows: processes with executable memory not backed by + a file. Dump suspicious regions for further analysis. + + $ vol3 -f windows.info + + Step 5: DLL Analysis + Tools: volatility3 + List loaded DLLs: vol3 -f windows.dlllist --pid + . Look for: DLLs loaded from unusual paths (temp, + appdata), unsigned DLLs, DLLs not in known-good + baseline. + + $ vol3 -f windows.info + + Step 6: String Search + Tools: volatility3, strings + Search for known IOCs in memory: vol3 -f + windows.strings. Also: strings | grep -i + ''. Look for URLs, domains, file paths, + commands. + + $ vol3 -f windows.info + $ strings binary.exe + + Step 7: Process & Code Dumping + Tools: volatility3 + Extract suspicious processes: vol3 -f + windows.dumpfiles --pid . Extract injected code + regions from malfind results. Analyze dumped files + with Static Analysis Workflow. + + $ vol3 -f windows.info + + Step 8: Timeline Reconstruction + Tools: volatility3 + Build timeline: vol3 -f timeliner.Timeliner. + Reconstruct: when malware started, what it did, + lateral movement. Correlate with process tree and + network data. + + $ vol3 -f windows.info + +──────────────────────────────────────────────────────────── + Tip: 'fhelp cheat ' for full examples + 'Ctrl+G' for interactive cheatsheet browser diff --git a/data/generated/workflows/network-interception-workflow.txt b/data/generated/workflows/network-interception-workflow.txt new file mode 100644 index 0000000..eb15792 --- /dev/null +++ b/data/generated/workflows/network-interception-workflow.txt @@ -0,0 +1,89 @@ +============================================================ + Network Traffic Interception +============================================================ + + Redirect and analyze malware network traffic in an isolated REMnux environment. Covers DNS, HTTP, HTTPS, and raw IP interception. + + Related FOR610 Labs: 1.3, 1.7, 1.8 + +──────────────────────────────────────────────────────────── + + Step 1: DNS Interception + Tools: fakedns + Start fakedns to resolve ALL domains to REMnux IP. + Verify: nslookup any-domain.com should return your + REMnux IP. + + $ fakedns + + Step 2: Service Emulation + Tools: inetsim, fakenet-ng, httpd + Choose emulator based on needed protocols. INetSim: + HTTP, HTTPS, DNS, FTP, SMTP (most complete). FakeNet- + NG: similar but different engine. httpd: simple HTTP + only. + + $ inetsim + $ fakenet + $ httpd + + Step 3: TLS/HTTPS Interception (if needed) + Tools: mitmproxy, polarproxy + For HTTPS C2: mitmproxy as transparent proxy, or + PolarProxy for TLS decryption. Install proxy CA cert + on analysis machine if needed. + + $ mitmproxy + $ PolarProxy -p 443,80 -w captured.pcap + + Step 4: Packet Capture + Tools: wireshark, tcpdump + Start capture before executing malware. Filter: not + arp and not broadcast. Save to PCAP for later + analysis. + + $ wireshark + $ tcpdump -i eth0 -w capture.pcap + + Step 5: Execute & Observe + Run malware on analysis VM. Watch for: DNS queries + (domain names), HTTP requests (URLs, user-agents), raw + TCP connections (IP:port). + + Step 6: Traffic Analysis + Tools: wireshark, tshark, ngrep, tcpflow + Follow TCP streams for full request/response. Use + ngrep for pattern search across packets. Use tcpflow + to extract individual streams. Identify beaconing + (regular intervals). + + $ wireshark + $ tshark -r capture.pcap + $ ngrep -I 'password' + $ tcpflow -r -o output/ + + Step 7: File Extraction + Tools: tcpxtract, networkminer + Carve files from PCAP: downloaded payloads, + exfiltrated data, second-stage malware. NetworkMiner + does this automatically. + + $ tcpxtract -f -o output/ + $ NetworkMiner --pcap + + Step 8: IP-Based Redirection (if needed) + Tools: iptables + If malware uses hardcoded IPs (no DNS): iptables -t + nat -A PREROUTING -i eth0 -j REDIRECT. This redirects + ALL traffic to local services. + + $ iptables -t nat -A PREROUTING -i ens32 -j REDIRECT + + Step 9: Document Network IOCs + Record: C2 domains/IPs, URI paths, user-agent strings, + beacon intervals, downloaded file hashes, TLS + certificate details. + +──────────────────────────────────────────────────────────── + Tip: 'fhelp cheat ' for full examples + 'Ctrl+G' for interactive cheatsheet browser diff --git a/data/generated/workflows/shellcode-analysis-workflow.txt b/data/generated/workflows/shellcode-analysis-workflow.txt new file mode 100644 index 0000000..765578a --- /dev/null +++ b/data/generated/workflows/shellcode-analysis-workflow.txt @@ -0,0 +1,78 @@ +============================================================ + Shellcode Analysis +============================================================ + + Analyze extracted shellcode from documents, exploits, or injected processes. Covers detection, emulation, and payload identification. + + Related FOR610 Labs: 3.4, 3.5, 4.6, 4.7 + +──────────────────────────────────────────────────────────── + + Step 1: Shellcode Detection + Tools: xorsearch, yara, capa + Scan carrier file for shellcode patterns. XORSearch -W + -d 3 detects common shellcode signatures even + when XOR-encoded. YARA rules catch known frameworks. + + $ XORSearch -W -d 3 file.bin + $ yara-rules specimen.bin + $ capa specimen.exe + + Step 2: Extraction + Tools: rtfdump-py, oledump-py, pdf-parser-py + Extract shellcode from carrier. For RTF: rtfdump.py -s + -H -d > sc.bin. For OLE: oledump.py -s + -d > sc.bin. For PDF: pdf-parser.py -o + -d sc.bin. + + $ rtfdump.py document.rtf + $ oledump.py document.docm + $ pdf-parser.py document.pdf -a + + Step 3: Emulation + Tools: scdbgc, speakeasy + Emulate without execution. scdbgc /f sc.bin /s -1 + shows API calls. speakeasy -t sc.bin -r -a x86 for + deeper emulation. Look for: URL downloads, file + writes, process creation. + + $ scdbgc /f shellcode.bin /s -1 + $ speakeasy -t specimen.exe -o report.json 2> report.txt + + Step 4: Framework Identification + Tools: yara, 1768-py + Check for known frameworks. 1768.py identifies Cobalt + Strike beacons. YARA rules detect Metasploit, Cobalt + Strike, custom frameworks. Document beacon config if + found. + + $ yara-rules specimen.bin + $ 1768.py shellcode.bin + + Step 5: Conversion to EXE + Tools: shcode2exe + Convert shellcode to executable for static analysis: + shcode2exe sc.bin sc.exe. Then analyze with peframe, + strings, ghidra. + + $ shcode2exe + + Step 6: String & IOC Extraction + Tools: strings, floss, cyberchef + Extract strings from shellcode. Look for: C2 URLs, + download paths, filename markers, encryption keys. Use + CyberChef for encoded content. + + $ strings binary.exe + $ floss specimen.exe + $ cyberchef + + Step 7: Document Findings + Record: shellcode offset in carrier, size, + encoding/XOR key, framework (Metasploit/CS/custom), C2 + address, downloaded payload URL, technique + (staged/stageless). + +──────────────────────────────────────────────────────────── + Tip: 'fhelp cheat ' for full examples + 'Ctrl+G' for interactive cheatsheet browser diff --git a/data/generated/workflows/static-analysis-workflow.txt b/data/generated/workflows/static-analysis-workflow.txt new file mode 100644 index 0000000..1e6f2ff --- /dev/null +++ b/data/generated/workflows/static-analysis-workflow.txt @@ -0,0 +1,88 @@ +============================================================ + Static Properties Analysis +============================================================ + + Systematic static examination of a suspicious file without executing it. Works for PE, ELF, .NET, scripts, and documents. + + Related FOR610 Labs: 1.1, 2.1, 4.1 + +──────────────────────────────────────────────────────────── + + Step 1: File Identification & Hashing + Tools: file, trid, exiftool, sha256sum + Determine file type using magic bytes. Compute hashes + (MD5, SHA256) for lookup and documentation. Record + file size and timestamps. + + $ file specimen.exe + $ trid document.doc + $ exiftool document.pdf + + Step 2: Reputation Check + Tools: malwoverview, virustotal-search + Look up hash on VirusTotal/MalwareBazaar. If known + malware, note family name and detection rate. If clean + or unknown, continue analysis. + + $ malwoverview -v + + Step 3: Packing & Entropy Check + Tools: diec, peframe + Check for packing indicators and high entropy + sections. Look for: unusual section names, small + import table, high entropy (>7.0). If packed, consider + the Unpacking Workflow. + + $ diec specimen.exe + $ peframe specimen.exe + + Step 4: String Extraction + Tools: strings, floss, pestr + Extract readable strings. Use FLOSS for + obfuscated/stack strings. Look for: URLs, IPs, + domains, registry keys, file paths, error messages, + API names. + + $ strings binary.exe + $ floss specimen.exe + $ pestr specimen.exe + + Step 5: Capability Detection + Tools: capa, yara + Identify capabilities mapped to MITRE ATT&CK. Scan + with YARA rules for known malware families. Look for: + persistence, C2, evasion, lateral movement + capabilities. + + $ capa specimen.exe + $ yara-rules specimen.bin + + Step 6: Import & Export Analysis + Tools: peframe, capa + Examine imported DLLs and functions. Map imports to + behavior categories: networking (ws2_32), crypto + (advapi32), process manipulation (kernel32). Check + exports for DLL functionality. + + $ peframe specimen.exe + $ capa specimen.exe + + Step 7: Disassembly (if needed) + Tools: ghidra, cutter, radare2 + Load into disassembler for code-level analysis. Start + at entry point, trace key functions. Use decompiler + for C-like view. + + $ ghidra + $ cutter specimen.exe + $ r2 specimen.exe + + Step 8: Document Findings + Record IOCs: hashes, IPs, domains, file paths, + registry keys, mutexes. Classify: malware family, + capabilities, confidence level. Decide: continue to + behavioral analysis? + +──────────────────────────────────────────────────────────── + Tip: 'fhelp cheat ' for full examples + 'Ctrl+G' for interactive cheatsheet browser diff --git a/data/generated/workflows/string-deobfuscation-workflow.txt b/data/generated/workflows/string-deobfuscation-workflow.txt new file mode 100644 index 0000000..56d5deb --- /dev/null +++ b/data/generated/workflows/string-deobfuscation-workflow.txt @@ -0,0 +1,66 @@ +============================================================ + String & Data Deobfuscation +============================================================ + + Decode obfuscated strings and data in malware. Covers XOR, Base64, stack strings, custom algorithms, and multi-layer encoding. + + Related FOR610 Labs: 1.5, 5.2 + +──────────────────────────────────────────────────────────── + + Step 1: Automated Extraction + Tools: floss, strings + Start with FLOSS for automatic deobfuscation (static + + stack + decoded strings). Compare against plain + strings output. FLOSS --no-static for only decoded + strings. + + $ floss specimen.exe + $ strings binary.exe + + Step 2: Encoding Detection + Tools: xorsearch, bbcrack + Identify encoding algorithm. XORSearch: detect XOR + with known plaintext (http:, MZ, This program). + bbcrack: brute-force XOR, ROL, ADD at multiple levels. + + $ XORSearch -W -d 3 file.bin + $ bbcrack -l 1 specimen.dll + + Step 3: Single-Byte XOR Recovery + Tools: brxor-py, xortool + For single-byte XOR: brxor.py finds English + words. xortool guesses key length and probable + key. xortool-xor -s -i -o decoded.bin to + decode. + + $ brxor.py specimen.dll + $ xortool + + Step 4: Multi-Byte / Custom Decoding + Tools: translate-py, cyberchef + For custom algorithms: translate.py 'byte ^ key' or + complex expressions. CyberChef for visual recipe + building (XOR → Base64 → Gunzip chains). Document the + recipe. + + $ translate.py "byte ^ 35" < input.bin > output.bin + $ cyberchef + + Step 5: Stack String Recovery + Tools: strdeob-pl, floss + For strings built on the stack (MOV byte-by-byte): + strdeob.pl or FLOSS stack string detection. + Common in evasive malware to avoid string extraction. + + $ strdeob.pl specimen.exe + $ floss specimen.exe + + Step 6: Validation & IOC Extraction + Review decoded strings. Extract IOCs: C2 addresses, + registry keys, file paths, API names, credentials. + Compare against known malware family patterns. + +──────────────────────────────────────────────────────────── + Tip: 'fhelp cheat ' for full examples + 'Ctrl+G' for interactive cheatsheet browser diff --git a/data/generated/workflows/unpacking-workflow.txt b/data/generated/workflows/unpacking-workflow.txt new file mode 100644 index 0000000..5f1aa4a --- /dev/null +++ b/data/generated/workflows/unpacking-workflow.txt @@ -0,0 +1,86 @@ +============================================================ + Unpacking Packed Executables +============================================================ + + Unpack compressed, encrypted, or obfuscated executables to reveal the original code. Covers automated and manual techniques. + + Related FOR610 Labs: 4.1, 4.2, 4.3, 5.3, 5.8, 5.10 + +──────────────────────────────────────────────────────────── + + Step 1: Packing Identification + Tools: diec, peframe + Identify packer: DIE detects UPX, ASPack, PECompact, + Themida, etc. Check entropy (>7.0 suggests packing). + Look for: few imports, unusual section names (.UPX, + .packed). + + $ diec specimen.exe + $ peframe specimen.exe + + Step 2: Automated Unpacking + Tools: upx, de4dot + Try known unpackers first. UPX: upx -d . .NET: + de4dot . If automated unpacking fails + (modified packer), proceed to manual. + + $ upx -d packed.exe + $ de4dot obfuscated.exe + + Step 3: Emulation-Based Unpacking + Tools: speakeasy, qiling + Emulate execution to let the unpacker run. Speakeasy + and Qiling can trace API calls during unpacking + without a debugger. Look for VirtualAlloc followed by + memcpy patterns. + + $ speakeasy -t specimen.exe -o report.json 2> report.txt + $ python3 -c "from qiling import Qiling; ql = Qiling([''], '/path/to/rootfs')" + + Step 4: Debugger-Based Unpacking [W] + Tools: x64dbg, x32dbg + Set breakpoints on: VirtualAlloc/VirtualProtect + (memory allocation), tail JMP to OEP (end of + unpacker), or stack breakpoint (ESP trick). Step to + OEP. + + $ x64dbg.exe specimen.exe + $ x32dbg.exe specimen.exe + + Step 5: Anti-Debug Bypass [W] + Tools: scyllahide + If malware detects debugger: enable ScyllaHide. + Handles IsDebuggerPresent, NtQueryInformationProcess, + timing checks. + + $ Plugins > ScyllaHide > Options > Enable all + + Step 6: Memory Dumping [W] + Tools: ollydumpex, scylla + At OEP: dump process with OllyDumpEx. Fix IAT with + Scylla (IAT Autosearch → Get Imports → Fix Dump). + + $ Plugins > OllyDumpEx > Dump process + $ Scylla x64 > Attach to process > Dump > IAT Autosearch > Fix Dump + + Step 7: PE Fixup [W] + Tools: pe-unmapper + If dump has virtual alignment: pe_unmapper /in + /base 400000 /out . Only needed if sections + have wrong raw sizes. + + $ pe_unmapper /in dumped.exe /base 400000 /out fixed.exe + + Step 8: Verification + Tools: strings, peframe, capa + Verify: strings are now visible, imports are + reasonable, capa detects capabilities. If good, route + to Static Analysis Workflow for full analysis. + + $ strings binary.exe + $ peframe specimen.exe + $ capa specimen.exe + +──────────────────────────────────────────────────────────── + Tip: 'fhelp cheat ' for full examples + 'Ctrl+G' for interactive cheatsheet browser diff --git a/data/remnux/categories-master.yaml b/data/remnux/categories-master.yaml new file mode 100644 index 0000000..6dfbdab --- /dev/null +++ b/data/remnux/categories-master.yaml @@ -0,0 +1,171 @@ +# Master Category Taxonomy +# Maps REMnux docs 11-category hierarchy (primary) to FOR610 18 categories +# REMnux categories are the public standard from docs.remnux.org + +categories: + + # --- EXAMINE STATIC PROPERTIES --- + - id: examine-static-properties-general + name: "Examine Static Properties > General" + remnux_docs_path: "examine+static+properties/general" + for610_categories: [static-analysis-pe, yara-detection] + + - id: examine-static-properties-pe + name: "Examine Static Properties > PE Files" + remnux_docs_path: "examine+static+properties/pe-files" + for610_categories: [static-analysis-pe] + + - id: examine-static-properties-elf + name: "Examine Static Properties > ELF Files" + remnux_docs_path: "examine+static+properties/elf-files" + for610_categories: [] + + - id: examine-static-properties-dotnet + name: "Examine Static Properties > .NET" + remnux_docs_path: "examine+static+properties/.net" + for610_categories: [dotnet-analysis] + + - id: examine-static-properties-go + name: "Examine Static Properties > Go" + remnux_docs_path: "examine+static+properties/go" + for610_categories: [] + + - id: examine-static-properties-deobfuscation + name: "Examine Static Properties > Deobfuscation" + remnux_docs_path: "examine+static+properties/deobfuscation" + for610_categories: [string-deobfuscation] + + # --- STATICALLY ANALYZE CODE --- + - id: statically-analyze-code-general + name: "Statically Analyze Code > General" + remnux_docs_path: "statically+analyze+code/general" + for610_categories: [code-analysis] + + - id: statically-analyze-code-unpacking + name: "Statically Analyze Code > Unpacking" + remnux_docs_path: "statically+analyze+code/unpacking" + for610_categories: [unpacking] + + - id: statically-analyze-code-pe + name: "Statically Analyze Code > PE Files" + remnux_docs_path: "statically+analyze+code/pe-files" + for610_categories: [emulation] + + - id: statically-analyze-code-python + name: "Statically Analyze Code > Python" + remnux_docs_path: "statically+analyze+code/python" + for610_categories: [] + + - id: statically-analyze-code-scripts + name: "Statically Analyze Code > Scripts" + remnux_docs_path: "statically+analyze+code/scripts" + for610_categories: [javascript-analysis] + + - id: statically-analyze-code-java + name: "Statically Analyze Code > Java" + remnux_docs_path: "statically+analyze+code/java" + for610_categories: [] + + - id: statically-analyze-code-dotnet + name: "Statically Analyze Code > .NET" + remnux_docs_path: "statically+analyze+code/.net" + for610_categories: [dotnet-analysis] + + - id: statically-analyze-code-android + name: "Statically Analyze Code > Android" + remnux_docs_path: "statically+analyze+code/android" + for610_categories: [] + + # --- DYNAMICALLY REVERSE-ENGINEER CODE --- + - id: dynamically-reverse-engineer-general + name: "Dynamically Reverse-Engineer Code > General" + remnux_docs_path: "dynamically+reverse-engineer+code/general" + for610_categories: [debugging] + + - id: dynamically-reverse-engineer-shellcode + name: "Dynamically Reverse-Engineer Code > Shellcode" + remnux_docs_path: "dynamically+reverse-engineer+code/shellcode" + for610_categories: [emulation] + + - id: dynamically-reverse-engineer-scripts + name: "Dynamically Reverse-Engineer Code > Scripts" + remnux_docs_path: "dynamically+reverse-engineer+code/scripts" + for610_categories: [javascript-analysis, powershell-analysis] + + - id: dynamically-reverse-engineer-elf + name: "Dynamically Reverse-Engineer Code > ELF Files" + remnux_docs_path: "dynamically+reverse-engineer+code/elf-files" + for610_categories: [] + + # --- MEMORY FORENSICS --- + - id: perform-memory-forensics + name: "Perform Memory Forensics" + remnux_docs_path: "perform+memory+forensics" + for610_categories: [] + + # --- NETWORK INTERACTIONS --- + - id: explore-network-monitoring + name: "Explore Network Interactions > Monitoring" + remnux_docs_path: "explore+network+interactions/monitoring" + for610_categories: [network-analysis] + + - id: explore-network-connecting + name: "Explore Network Interactions > Connecting" + remnux_docs_path: "explore+network+interactions/connecting" + for610_categories: [network-analysis] + + - id: explore-network-services + name: "Explore Network Interactions > Services" + remnux_docs_path: "explore+network+interactions/services" + for610_categories: [network-analysis] + + # --- SYSTEM INTERACTIONS --- + - id: investigate-system-interactions + name: "Investigate System Interactions" + remnux_docs_path: "investigate+system+interactions" + for610_categories: [behavioral-analysis] + + # --- DOCUMENTS --- + - id: analyze-documents-general + name: "Analyze Documents > General" + remnux_docs_path: "analyze+documents/general" + for610_categories: [document-analysis] + + - id: analyze-documents-pdf + name: "Analyze Documents > PDF" + remnux_docs_path: "analyze+documents/pdf" + for610_categories: [pdf-analysis] + + - id: analyze-documents-office + name: "Analyze Documents > Microsoft Office" + remnux_docs_path: "analyze+documents/microsoft+office" + for610_categories: [document-analysis] + + - id: analyze-documents-email + name: "Analyze Documents > Email Messages" + remnux_docs_path: "analyze+documents/email+messages" + for610_categories: [document-analysis] + + # --- AI --- + - id: use-artificial-intelligence + name: "Use Artificial Intelligence" + remnux_docs_path: "use+artificial+intelligence" + for610_categories: [] + + # --- DATA GATHERING --- + - id: gather-and-analyze-data + name: "Gather and Analyze Data" + remnux_docs_path: "gather+and+analyze+data" + for610_categories: [yara-detection] + + # --- VIEW/EDIT --- + - id: view-or-edit-files + name: "View or Edit Files" + remnux_docs_path: "view+or+edit+files" + for610_categories: [utilities] + + # --- GENERAL UTILITIES --- + - id: general-utilities + name: "General Utilities" + remnux_docs_path: "general+utilities" + for610_categories: [utilities] diff --git a/data/remnux/coverage-report.yaml b/data/remnux/coverage-report.yaml new file mode 100644 index 0000000..9cb2bd0 --- /dev/null +++ b/data/remnux/coverage-report.yaml @@ -0,0 +1,986 @@ +summary: + total_tools: 447 + in_remnux_count: 397 + help_tier_counts: + rich: 156 + standard: 118 + basic: 173 + source_coverage: + for610_only: 58 + remnux_docs_only: 51 + salt_states_only: 173 + all_three: 65 + for610_and_docs: 92 + for610_and_salt: 71 + docs_and_salt: 132 + no_coverage: 0 +needs_help: +- id: 7zip + name: 7zip + tier: basic +- id: aeskeyfind + name: aeskeyfind + tier: basic +- id: android-project-creator + name: android-project-creator + tier: basic +- id: apt-utils + name: apt-utils + tier: basic +- id: archive-zip + name: archive-zip + tier: basic +- id: autoconf + name: autoconf + tier: basic +- id: autologin + name: autologin + tier: basic +- id: automake + name: automake + tier: basic +- id: bash-history + name: bash-history + tier: basic +- id: bash-rc + name: bash-rc + tier: basic +- id: bearparser + name: bearparser + tier: basic +- id: binee + name: binee + tier: basic +- id: binutils + name: binutils + tier: basic +- id: build-essential + name: build-essential + tier: basic +- id: bundler + name: bundler + tier: basic +- id: burpsuite-community + name: burpsuite-community + tier: basic +- id: cffi + name: cffi + tier: basic +- id: clamav-daemon + name: clamav-daemon + tier: basic +- id: compatibility + name: compatibility + tier: basic +- id: default-jdk + name: default-jdk + tier: basic +- id: default-jre + name: default-jre + tier: basic +- id: dialog + name: dialog + tier: basic +- id: didier-stevens-suite + name: didier-stevens-scripts + tier: basic +- id: display + name: display + tier: basic +- id: distro-info + name: distro-info + tier: basic +- id: dllcharacteristics + name: dllcharacteristics + tier: basic +- id: dog + name: dog + tier: basic +- id: dot-cache + name: dot-cache + tier: basic +- id: dot-config + name: dot-config + tier: basic +- id: dot-cpan + name: dot-cpan + tier: basic +- id: dot-dbus + name: dot-dbus + tier: basic +- id: dot-local + name: dot-local + tier: basic +- id: dotnet-runtime-3-1 + name: dotnet-runtime-3-1 + tier: basic +- id: edb-debugger + name: edb-debugger + tier: basic +- id: enchant + name: enchant + tier: basic +- id: epic5 + name: epic5 + tier: basic +- id: exfat-utils + name: exfat-utils + tier: basic +- id: flare-floss + name: flare-floss + tier: basic +- id: flex + name: flex + tier: basic +- id: galculator + name: galculator + tier: basic +- id: gdb + name: gdb + tier: basic +- id: gdm3 + name: gdm3 + tier: basic +- id: gift + name: gift + tier: basic +- id: git + name: git + tier: basic +- id: gnome-session + name: gnome-session + tier: basic +- id: gnome-shell-extensions + name: gnome-shell-extensions + tier: basic +- id: gnome-terminal + name: gnome-terminal + tier: basic +- id: gnome-tweaks + name: gnome-tweaks + tier: basic +- id: gnutls-bin + name: gnutls-bin + tier: basic +- id: graphviz + name: graphviz + tier: basic +- id: grub-kvm + name: grub-kvm + tier: basic +- id: guest-tools + name: guest-tools + tier: basic +- id: i386-architecture + name: i386-architecture + tier: basic +- id: iproute2 + name: iproute2 + tier: basic +- id: iputils-ping + name: iputils-ping + tier: basic +- id: ipython3 + name: ipython3 + tier: basic +- id: lame + name: lame + tier: basic +- id: libboost-dev + name: libboost-dev + tier: basic +- id: libboost-python-dev + name: libboost-python-dev + tier: basic +- id: libboost-system-dev + name: libboost-system-dev + tier: basic +- id: libdpkg-perl + name: libdpkg-perl + tier: basic +- id: libemail-outlook-message-perl + name: libemail-outlook-message-perl + tier: basic +- id: libffi-dev + name: libffi-dev + tier: basic +- id: libfuse2 + name: libfuse2 + tier: basic +- id: libfuzzy-dev + name: libfuzzy-dev + tier: basic +- id: libfuzzy2 + name: libfuzzy2 + tier: basic +- id: libglib2 + name: libglib2 + tier: basic +- id: libglu1-mesa-dev + name: libglu1-mesa-dev + tier: basic +- id: libgraphviz-dev + name: libgraphviz-dev + tier: basic +- id: libgtk-3-0 + name: libgtk-3-0 + tier: basic +- id: libjavassist-java + name: libjavassist-java + tier: basic +- id: libjpeg-dev + name: libjpeg-dev + tier: basic +- id: libjpeg8-dev + name: libjpeg8-dev + tier: basic +- id: liblzma-dev + name: liblzma-dev + tier: basic +- id: liblzo2-dev + name: liblzo2-dev + tier: basic +- id: libmagic-dev + name: libmagic-dev + tier: basic +- id: libmysqlclient21 + name: libmysqlclient21 + tier: basic +- id: libncurses + name: libncurses + tier: basic +- id: libnetfilter-queue-dev + name: libnetfilter-queue-dev + tier: basic +- id: libnfnetlink-dev + name: libnfnetlink-dev + tier: basic +- id: libpq5 + name: libpq5 + tier: basic +- id: libqt5scripttools5 + name: libqt5scripttools5 + tier: basic +- id: libre2 + name: libre2 + tier: basic +- id: libsm6 + name: libsm6 + tier: basic +- id: libsqlite3-dev + name: libsqlite3-dev + tier: basic +- id: libssl-dev + name: libssl-dev + tier: basic +- id: libtool + name: libtool + tier: basic +- id: libtre5 + name: libtre5 + tier: basic +- id: libusb-1 + name: libusb-1 + tier: basic +- id: libxml2-dev + name: libxml2-dev + tier: basic +- id: libxslt1-dev + name: libxslt1-dev + tier: basic +- id: linux-headers + name: linux-headers + tier: basic +- id: ltrace + name: ltrace + tier: basic +- id: malcat + name: malcat + tier: basic +- id: manalyze + name: manalyze + tier: basic +- id: mercurial + name: mercurial + tier: basic +- id: microsoft + name: microsoft + tier: basic +- id: microsoft-vscode + name: microsoft-vscode + tier: basic +- id: mono + name: mono + tier: basic +- id: mono-devel + name: mono-devel + tier: basic +- id: mono-utils + name: mono-utils + tier: basic +- id: mynic + name: mynic + tier: basic +- id: nano + name: nano + tier: basic +- id: ndg-httpsclient + name: ndg-httpsclient + tier: basic +- id: net-tools + name: net-tools + tier: basic +- id: nodejs + name: nodejs + tier: basic +- id: openjdk + name: openjdk + tier: basic +- id: openssl + name: openssl + tier: basic +- id: osarch + name: osarch + tier: basic +- id: pe-tree + name: pe-tree + tier: basic +- id: pedump + name: pedump + tier: basic +- id: perl + name: perl + tier: basic +- id: readpe + name: pev + tier: basic +- id: pgadmin + name: pgadmin + tier: basic +- id: pip + name: pip + tier: basic +- id: pkg-config + name: pkg-config + tier: basic +- id: portex + name: portex + tier: basic +- id: prefer-ipv4 + name: prefer-ipv4 + tier: basic +- id: procyon-decompiler + name: procyon-decompiler + tier: basic +- id: protobuf + name: protobuf + tier: basic +- id: pycdc + name: pycdc + tier: basic +- id: pyelftools + name: pyelftools + tier: basic +- id: python-debian + name: python-debian + tier: basic +- id: python3 + name: python3 + tier: basic +- id: python3-cryptography + name: python3-cryptography + tier: basic +- id: python3-dev + name: python3-dev + tier: basic +- id: python3-dnspython + name: python3-dnspython + tier: basic +- id: python3-magic + name: python3-magic + tier: basic +- id: python3-netifaces + name: python3-netifaces + tier: basic +- id: python3-numpy + name: python3-numpy + tier: basic +- id: python3-pil + name: python3-pil + tier: basic +- id: python3-pip + name: python3-pip + tier: basic +- id: python3-pyasn1 + name: python3-pyasn1 + tier: basic +- id: python3-pyqt5 + name: python3-pyqt5 + tier: basic +- id: python3-requests + name: python3-requests + tier: basic +- id: python3-setuptools + name: python3-setuptools + tier: basic +- id: python3-ssdeep + name: python3-ssdeep + tier: basic +- id: python3-tk + name: python3-tk + tier: basic +- id: python3-venv + name: python3-venv + tier: basic +- id: python3-virtualenv + name: python3-virtualenv + tier: basic +- id: python3-wheel + name: python3-wheel + tier: basic +- id: qtbase5-dev + name: qtbase5-dev + tier: basic +- id: refresh + name: refresh + tier: basic +- id: remnux + name: remnux + tier: basic +- id: remove-app-icons + name: remove-app-icons + tier: basic +- id: rhino + name: rhino + tier: basic +- id: rsakeyfind + name: rsakeyfind + tier: basic +- id: ruby + name: ruby + tier: basic +- id: ruby-dev + name: ruby-dev + tier: basic +- id: salt-minion + name: salt-minion + tier: basic +- id: sharutils + name: sharutils + tier: basic +- id: sift + name: sift + tier: basic +- id: sleuthkit + name: sleuthkit + tier: basic +- id: snap + name: snap + tier: basic +- id: snapd + name: snapd + tier: basic +- id: software-properties-common + name: software-properties-common + tier: basic +- id: ssh + name: ssh + tier: basic +- id: strace + name: strace + tier: basic +- id: subversion + name: subversion + tier: basic +- id: sudo + name: sudo + tier: basic +- id: sudoers + name: sudoers + tier: basic +- id: tzdata + name: tzdata + tier: basic +- id: ubuntu + name: ubuntu + tier: basic +- id: ubuntu-universe + name: ubuntu-universe + tier: basic +- id: user + name: user + tier: basic +- id: vim + name: vim + tier: basic +- id: vscode + name: vscode + tier: basic +- id: wireshark-dev + name: wireshark-dev + tier: basic +- id: xdg-utils + name: xdg-utils + tier: basic +- id: xmlstarlet + name: xmlstarlet + tier: basic +- id: xterm + name: xterm + tier: basic +- id: zbar-tools + name: zbar-tools + tier: basic +- id: zlib1g-dev + name: zlib1g-dev + tier: basic +rich_tools: +- id: 1768-py + name: 1768.py +- id: bytehist + name: Bytehist +- id: clamav + name: ClamAV +- id: cutter + name: Cutter +- id: cyberchef + name: CyberChef +- id: floss + name: FLOSS +- id: frida + name: Frida +- id: ghidra + name: Ghidra +- id: ilspy + name: ILSpy +- id: inetsim + name: INetSim +- id: malchive + name: Malchive +- id: procdot + name: ProcDOT +- id: spidermonkey + name: SpiderMonkey +- id: thug + name: Thug +- id: upx + name: UPX +- id: unfurl + name: Unfurl +- id: visual-studio-code + name: Visual Studio Code +- id: vivisect + name: Vivisect +- id: wine + name: Wine +- id: wireshark + name: Wireshark +- id: xlmmacrodeobfuscator + name: XLMMacroDeobfuscator +- id: xorsearch + name: XORSearch +- id: androguard + name: androguard +- id: apktool + name: apktool +- id: base64dump-py + name: base64dump.py +- id: bbcrack + name: bbcrack +- id: binwalk + name: binwalk +- id: box-js + name: box-js +- id: brxor-py + name: brxor.py +- id: capa + name: capa +- id: cfr + name: cfr +- id: cs-analyze-processdump-py + name: cs-analyze-processdump.py +- id: cs-decrypt-metadata-py + name: cs-decrypt-metadata.py +- id: cs-extract-key-py + name: cs-extract-key.py +- id: cs-parse-traffic-py + name: cs-parse-traffic.py +- id: curl + name: curl +- id: dc3-mwcp + name: dc3-mwcp +- id: de4dot + name: de4dot +- id: diec + name: diec +- id: emldump-py + name: emldump.py +- id: evilclippy + name: evilclippy +- id: exiftool + name: exiftool +- id: fakedns + name: fakedns +- id: fakenet-ng + name: fakenet-ng +- id: feh + name: feh +- id: file + name: file +- id: gunzip + name: gunzip +- id: hexdump + name: hexdump +- id: httpd + name: httpd +- id: ilspycmd + name: ilspycmd +- id: ioc-parser + name: ioc-parser +- id: iptables + name: iptables +- id: jadx + name: jadx +- id: jd-gui + name: jd-gui +- id: jq + name: jq +- id: js-beautify + name: js-beautify +- id: mail-parser + name: mail-parser +- id: malwoverview + name: malwoverview +- id: mitmproxy + name: mitmproxy +- id: msg-extractor + name: msg-extractor +- id: msoffcrypto-tool + name: msoffcrypto-tool +- id: netcat + name: nc +- id: networkminer + name: networkminer +- id: ngrep + name: ngrep +- id: nslookup + name: nslookup +- id: numbers-to-string-py + name: numbers-to-string.py +- id: oledump-py + name: oledump.py +- id: olevba + name: olevba +- id: pcode2code + name: pcode2code +- id: pdf-parser-py + name: pdf-parser.py +- id: pdfid-py + name: pdfid.py +- id: pdfresurrect + name: pdfresurrect +- id: pdftk + name: pdftk +- id: pdftool-py + name: pdftool.py +- id: peepdf + name: peepdf +- id: peframe + name: peframe +- id: pestr + name: pestr +- id: polarproxy + name: polarproxy +- id: pyinstxtractor-ng + name: pyinstxtractor-ng +- id: qiling + name: qiling +- id: qpdf + name: qpdf +- id: radare2 + name: radare2 +- id: rar + name: rar +- id: rtfdump-py + name: rtfdump.py +- id: runsc32 + name: runsc32 +- id: scdbgc + name: scdbgc +- id: shcode2exe + name: shcode2exe +- id: speakeasy + name: speakeasy +- id: ssdeep + name: ssdeep +- id: strdeob-pl + name: strdeob.pl +- id: strings + name: strings +- id: tcpdump + name: tcpdump +- id: tcpflow + name: tcpflow +- id: tcpxtract + name: tcpxtract +- id: torsocks + name: torsocks +- id: translate-py + name: translate.py +- id: trid + name: trid +- id: tshark + name: tshark +- id: uncompyle6 + name: uncompyle6 +- id: unzip + name: unzip +- id: volatility3 + name: volatility3 +- id: wget + name: wget +- id: xortool + name: xortool +- id: xxd + name: xxd +- id: yara + name: yara +- id: zipdump-py + name: zipdump.py +standard_tools: +- id: 7-zip + name: 7-Zip +- id: aeskeyfinder + name: AESKeyFinder +- id: androidprojectcreator + name: AndroidProjectCreator +- id: burp-suite-community-edition + name: Burp Suite Community Edition +- id: cobalt-strike-configuration-extractor-csce-and-parser + name: Cobalt Strike Configuration Extractor (CSCE) and Parser +- id: decompyle + name: Decompyle++ +- id: epic-irc-client + name: EPIC IRC Client +- id: gnome-calculator + name: GNOME Calculator +- id: gnu-wget + name: GNU Wget +- id: ghidrassistmcp + name: GhidrAssistMCP +- id: hachoir + name: Hachoir +- id: hash-id + name: Hash ID +- id: jd-gui-java-decompiler + name: JD-GUI Java Decompiler +- id: javassist + name: Javassist +- id: malcat-lite + name: Malcat Lite +- id: network-miner-free-edition + name: Network Miner Free Edition +- id: procyon + name: Procyon +- id: remnux-installer + name: REMnux Installer +- id: rsakeyfinder + name: RSAKeyFinder +- id: sqlite + name: SQLite +- id: sleuth-kit + name: Sleuth Kit +- id: yara-forge-rules + name: YARA-Forge Rules +- id: anomy + name: anomy +- id: apkid + name: apkid +- id: autoit-ripper + name: autoit-ripper +- id: baksmali + name: baksmali +- id: balbuzard + name: balbuzard +- id: binee-binary-emulation-environment + name: binee (Binary Emulation Environment) +- id: bulk-extractor + name: bulk-extractor +- id: cabextract + name: cabextract +- id: cast + name: cast +- id: chepy + name: chepy +- id: cut-bytes-py + name: cut-bytes.py +- id: decode-vbe-py + name: decode-vbe.py +- id: dex2jar + name: dex2jar +- id: dexray + name: dexray +- id: disitool + name: disitool +- id: dissect + name: dissect +- id: dnfile + name: dnfile +- id: dnslib + name: dnslib +- id: dnsresolver-py + name: dnsresolver.py +- id: docker + name: docker +- id: dos2unix + name: dos2unix +- id: dotnetfile + name: dotnetfile +- id: droidlysis + name: droidlysis +- id: evince + name: evince +- id: ex-pe-xor + name: ex-pe-xor +- id: fakemail + name: fakemail +- id: file-magic-py + name: file-magic.py +- id: firefox + name: firefox +- id: format-bytes-py + name: format-bytes.py +- id: goresym + name: goresym +- id: hex-to-bin-py + name: hex-to-bin.py +- id: ibus + name: ibus +- id: imagemagick + name: imagemagick +- id: inspircd + name: inspircd +- id: ipwhois + name: ipwhois +- id: java-idx-parser + name: java-idx-parser +- id: jstillery + name: jstillery +- id: libemu + name: libemu +- id: libolecf + name: libolecf +- id: lief + name: lief +- id: magika + name: magika +- id: mbcscan + name: mbcscan +- id: monodis + name: monodis +- id: msgconvert + name: msgconvert +- id: msitools + name: msitools +- id: msoffcrypto-crack-py + name: msoffcrypto-crack.py +- id: msoffice-crypt + name: msoffice-crypt +- id: myip + name: myip +- id: myjson-filter-py + name: myjson-filter.py +- id: name-that-hash + name: name-that-hash +- id: nasm + name: nasm +- id: nautilus + name: nautilus +- id: nginx + name: nginx +- id: nomorexor + name: nomorexor +- id: nsrllookup + name: nsrllookup +- id: objdump + name: objdump +- id: objects-js + name: objects.js +- id: olefile + name: olefile +- id: onedump-py + name: onedump.py +- id: opencode + name: opencode +- id: openssh + name: openssh +- id: origami + name: origamindee +- id: pcodedmp + name: pcodedmp +- id: pdnstool + name: pdnstool +- id: powershell + name: powershell +- id: pyinstaller-extractor + name: pyinstaller-extractor +- id: re-search-py + name: re-search.py +- id: redress + name: redress +- id: remnux-mcp-server + name: remnux-mcp-server +- id: sandfly-processdecloak + name: sandfly-processdecloak +- id: scalpel + name: scalpel +- id: scite + name: scite +- id: sets-py + name: sets.py +- id: shellcode2exe-bat + name: shellcode2exe-bat +- id: signsrch + name: signsrch +- id: sortcanon-py + name: sortcanon.py +- id: ssview + name: ssview +- id: tcpick + name: tcpick +- id: tesseract-ocr + name: tesseract-ocr +- id: texteditor-py + name: texteditor.py +- id: thefuzz + name: thefuzz +- id: time-decode + name: time-decode +- id: tor + name: tor +- id: unhide + name: unhide +- id: unicode + name: unicode +- id: unxor + name: unxor +- id: vbindiff + name: vbindiff +- id: virustotal-search + name: virustotal-search +- id: virustotal-submit + name: virustotal-submit +- id: wxhexeditor + name: wxhexeditor +- id: xmldump-py + name: xmldump.py +- id: xor-kpa-py + name: xor-kpa.py +- id: xorbruteforcer + name: xorbruteforcer +- id: xorstrings + name: xorstrings +- id: yara-x + name: yara-x +- id: zbarimg + name: zbarimg diff --git a/data/remnux/sources/remnux-docs.yaml b/data/remnux/sources/remnux-docs.yaml new file mode 100644 index 0000000..45f23ec --- /dev/null +++ b/data/remnux/sources/remnux-docs.yaml @@ -0,0 +1,1846 @@ +metadata: + source: https://docs.remnux.org/discover-the-tools + categories_scraped: 31 + total_tools_extracted: 217 + category_counts: + Examine Static Properties > General: 28 + Examine Static Properties > .NET: 3 + Examine Static Properties > Go: 2 + Examine Static Properties > Deobfuscation: 31 + Statically Analyze Code > General: 6 + Statically Analyze Code > Unpacking: 5 + Statically Analyze Code > PE Files: 5 + Statically Analyze Code > Python: 4 + Statically Analyze Code > Scripts: 3 + Statically Analyze Code > Java: 5 + Statically Analyze Code > .NET: 2 + Statically Analyze Code > Android: 8 + Dynamically Reverse-Engineer Code > General: 4 + Dynamically Reverse-Engineer Code > Shellcode: 8 + Dynamically Reverse-Engineer Code > Scripts: 8 + Perform Memory Forensics: 4 + Explore Network Interactions > Monitoring: 12 + Explore Network Interactions > Connecting: 9 + Explore Network Interactions > Services: 9 + Investigate System Interactions: 3 + Analyze Documents > General: 2 + Analyze Documents > PDF: 8 + Analyze Documents > Microsoft Office: 17 + Analyze Documents > Email Messages: 4 + Use Artificial Intelligence: 4 + Gather and Analyze Data: 14 + View or Edit Files: 8 + General Utilities: 22 +tools: +- name: 1768.py + id: 1768-py + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Analyze Cobalt Strike beacons. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: id-1768.py + website: https://blog.didierstevens.com/2021/05/22/update-1768-py-version-0-0-6/ +- name: 7-Zip + id: 7-zip + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Compress and decompress files using a variety of algorithms. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: id-7-zip + website: https://www.7-zip.org + additional_categories: + - General Utilities +- name: accept-all-ips + id: accept-all-ips + category: Explore Network Interactions > Services + category_path: explore+network+interactions/services + description: Accept connections to all IPv4 and IPv6 addresses and redirect it to + the corresponding local port. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + anchor: accept-all-ips + website: https://github.com/REMnux/distro/blob/master/files/accept-all-ips +- name: AESKeyFinder + id: aeskeyfinder + category: Perform Memory Forensics + category_path: perform+memory+forensics + description: Find 128-bit and 256-bit AES keys in a memory image. + docs_url: https://docs.remnux.org/discover-the-tools/perform+memory+forensics + anchor: aeskeyfinder + website: https://citp.princeton.edu/our-work/memory/ +- name: androguard + id: androguard + category: Statically Analyze Code > Android + category_path: statically+analyze+code/android + description: Examine Android files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + anchor: androguard + website: https://github.com/androguard/androguard +- name: AndroidProjectCreator + id: androidprojectcreator + category: Statically Analyze Code > Android + category_path: statically+analyze+code/android + description: Convert an Android APK application file into an Android Studio project + for easier analysis. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + anchor: androidprojectcreator + website: https://maxkersten.nl/projects/androidprojectcreator +- name: Anomy + id: anomy + category: Explore Network Interactions > Connecting + category_path: explore+network+interactions/connecting + description: A wrapper around wget, ssh, sftp, ftp, and telnet to route these connections + through Tor to anonymize your traffic. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + anchor: anomy + website: https://github.com/izm1chael/Anomy +- name: APKiD + id: apkid + category: Statically Analyze Code > Android + category_path: statically+analyze+code/android + description: Identify compilers, packers, and obfuscators used to protect Android + APK and DEX files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + anchor: apkid + website: https://github.com/rednaga/APKiD +- name: apktool + id: apktool + category: Statically Analyze Code > Android + category_path: statically+analyze+code/android + description: Reverse-engineer Android APK files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + anchor: apktool + website: https://ibotpeaches.github.io/Apktool/ +- name: AutoIt-Ripper + id: autoit-ripper + category: Statically Analyze Code > Scripts + category_path: statically+analyze+code/scripts + description: Extract AutoIt scripts embedded in PE binaries. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts + anchor: autoit-ripper + website: https://github.com/nazywam/AutoIt-Ripper +- name: baksmali + id: baksmali + category: Statically Analyze Code > Android + category_path: statically+analyze+code/android + description: Disassembler for the dex format used by Dalvik, Android's Java + VM implementation. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + anchor: baksmali + website: https://bitbucket.org/JesusFreke/smali +- name: Balbuzard + id: balbuzard + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Extract and deobfuscate patterns from suspicious files. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: balbuzard + website: https://github.com/digitalsleuth/balbuzard +- name: base64dump.py + id: base64dump-py + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Locate and decode strings encoded in Base64 and other common encodings. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: base64dump.py + website: https://blog.didierstevens.com/2020/07/03/update-base64dump-py-version-0-0-12/ + additional_categories: + - Analyze Documents > General +- name: binee (Binary Emulation Environment) + id: binee-binary-emulation-environment + category: Statically Analyze Code > PE Files + category_path: statically+analyze+code/pe-files + description: Analyze I/O operations of a suspicious PE file by emulating its execution. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files + anchor: binee-binary-emulation-environment + website: https://github.com/carbonblack/binee +- name: binwalk + id: binwalk + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Extract and analyze firmware images. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: binwalk + website: https://github.com/ReFirmLabs/binwalk + additional_categories: + - Statically Analyze Code > Unpacking +- name: box-js + id: box-js + category: Dynamically Reverse-Engineer Code > Scripts + category_path: dynamically+reverse-engineer+code/scripts + description: Analyze suspicious JavaScript scripts. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + anchor: box-js + website: https://github.com/CapacitorSet/box-js +- name: brxor.py + id: brxor-py + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Bruteforce XOR'ed strings to find those that are English words. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: brxor.py + website: https://github.com/REMnux/distro/blob/master/files/brxor.py +- name: bulk_extractor + id: bulk-extractor + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Extract interesting strings from binary files. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: bulk_extractor + website: https://github.com/simsong/bulk_extractor/ + additional_categories: + - Perform Memory Forensics +- name: Burp Suite Community Edition + id: burp-suite-community-edition + category: Explore Network Interactions > Monitoring + category_path: explore+network+interactions/monitoring + description: Investigate website interactions using this web proxy. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + anchor: burp-suite-community-edition + website: https://portswigger.net +- name: Bytehist + id: bytehist + category: Statically Analyze Code > Unpacking + category_path: statically+analyze+code/unpacking + description: Generate byte-usage-histograms for all types of files with a focus + on PE files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking + anchor: bytehist + website: https://www.cert.at/downloads/software/bytehist_en.html +- name: cabextract + id: cabextract + category: General Utilities + category_path: general+utilities + description: Extract Microsoft cabinet (cab) files. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: cabextract + website: https://www.cabextract.org.uk +- name: capa + id: capa + category: Statically Analyze Code > PE Files + category_path: statically+analyze+code/pe-files + description: Detect suspicious capabilities in PE files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files + anchor: capa + website: https://github.com/mandiant/capa +- name: Cast + id: cast + category: General Utilities + category_path: general+utilities + description: Install and manage SaltStack-based Linux distributions. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: cast + website: https://github.com/ekristen/cast +- name: cfr + id: cfr + category: Statically Analyze Code > Java + category_path: statically+analyze+code/java + description: Java decompiler. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/java + anchor: cfr + website: https://www.benf.org/other/cfr/ +- name: Chepy + id: chepy + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Decode and otherwise analyze data using this command-line tool and + Python library. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: chepy + website: https://github.com/securisec/chepy +- name: ClamAV + id: clamav + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Scan files for malware signatures. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: clamav + website: https://www.clamav.net + additional_categories: + - Statically Analyze Code > Unpacking +- name: Cobalt Strike Configuration Extractor (CSCE) and Parser + id: cobalt-strike-configuration-extractor-csce-and-parser + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Analyze Cobalt Strike beacons. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: csce + website: https://github.com/strozfriedberg/cobaltstrike-config-extractor +- name: cs-analyze-processdump.py + id: cs-analyze-processdump-py + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Analyze Cobalt Strike beacon process dumps to detect sleep mask encoding. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: cs-analyze-processdump.py + website: https://blog.didierstevens.com/2021/11/25/new-tool-cs-analyze-processdump-py/ +- name: cs-decrypt-metadata.py + id: cs-decrypt-metadata-py + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Decrypt Cobalt Strike metadata. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: cs-decrypt-metadata.py + website: https://blog.didierstevens.com/2021/11/12/update-cs-decrypt-metadata-py-version-0-0-2/ +- name: cs-extract-key.py + id: cs-extract-key-py + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Extract AES and HMAC keys from Cobalt Strike beacon process memory. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: cs-extract-key.py + website: https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/ +- name: cs-parse-traffic.py + id: cs-parse-traffic-py + category: Explore Network Interactions > Monitoring + category_path: explore+network+interactions/monitoring + description: Decrypt and parse Cobalt Strike beacon network traffic. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + anchor: cs-parse-traffic.py + website: https://blog.didierstevens.com/2021/11/29/new-tool-cs-parse-traffic-py/ +- name: cURL + id: curl + category: Explore Network Interactions > Connecting + category_path: explore+network+interactions/connecting + description: Interact with servers via supported protocols, including HTTP, HTTPS, + FTP, IMAP, etc. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + anchor: curl + website: https://curl.se + additional_categories: + - General Utilities +- name: cut-bytes.py + id: cut-bytes-py + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Cut out a part of a data stream. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: cut-bytes.py + website: https://blog.didierstevens.com/2015/10/14/cut-bytes-py/ +- name: Cutter + id: cutter + category: Statically Analyze Code > General + category_path: statically+analyze+code/general + description: Reverse engineering platform powered by Rizin. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/general + anchor: cutter + website: https://cutter.re +- name: CyberChef + id: cyberchef + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Decode and otherwise analyze data using this browser app. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: cyberchef + website: https://github.com/gchq/CyberChef/ +- name: DC3-MWCP + id: dc3-mwcp + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Parsing configuration information from malware. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: dc3-mwcp + website: https://github.com/Defense-Cyber-Crime-Center/DC3-mwcp +- name: de4dot + id: de4dot + category: Statically Analyze Code > .NET + category_path: statically+analyze+code/.net + description: Deobfuscate and unpack. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net + anchor: de4dot + website: https://github.com/0xd4d/de4dot +- name: decode-vbe.py + id: decode-vbe-py + category: Statically Analyze Code > Scripts + category_path: statically+analyze+code/scripts + description: Decode encoded VBS scripts (VBE). + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts + anchor: decode-vbe.py + website: https://blog.didierstevens.com/2016/03/29/decoding-vbe/ +- name: Decompyle++ + id: decompyle + category: Statically Analyze Code > Python + category_path: statically+analyze+code/python + description: Python bytecode disassembler and decompiler. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/python + anchor: decompyle + website: https://github.com/zrax/pycdc +- name: Detect-It-Easy + id: detect-it-easy + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Determine types of files and examine file properties. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: detect-it-easy + website: https://github.com/horsicq/Detect-It-Easy + additional_categories: + - Statically Analyze Code > General +- name: dex2jar + id: dex2jar + category: Statically Analyze Code > Android + category_path: statically+analyze+code/android + description: Examine Dalvik Executable (dex) files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + anchor: dex2jar + website: https://github.com/pxb1988/dex2jar +- name: DeXRAY + id: dexray + category: Gather and Analyze Data + category_path: gather+and+analyze+data + description: Extract and decode data from antivirus quarantine files. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + anchor: dexray + website: https://www.hexacorn.com/blog/category/software-releases/dexray/ +- name: disitool + id: disitool + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Manipulate embedded digital signatures. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: disitool + website: https://blog.didierstevens.com/programs/disitool/ +- name: dissect + id: dissect + category: Gather and Analyze Data + category_path: gather+and+analyze+data + description: Perform a variety of forensics and incident response tasks using this + DFIR framework and toolset. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + anchor: dissect + website: https://github.com/fox-it/dissect +- name: dnfile + id: dnfile + category: Examine Static Properties > .NET + category_path: examine+static+properties/.net + description: Analyze static properties of. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/.net + anchor: dnfile + website: https://github.com/malwarefrank/dnfile +- name: dnslib + id: dnslib + category: Gather and Analyze Data + category_path: gather+and+analyze+data + description: Python library to encode/decode DNS wire-format packets. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + anchor: dnslib + website: https://github.com/paulc/dnslib +- name: dnsresolver.py + id: dnsresolver-py + category: Explore Network Interactions > Services + category_path: explore+network+interactions/services + description: DNS resolver tool for dynamic analysis with wildcard and tracking support. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + anchor: dnsresolver.py + website: https://blog.didierstevens.com/2021/07/15/new-tool-dnsresolver-py/ +- name: Docker + id: docker + category: General Utilities + category_path: general+utilities + description: Run and manage containers. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: docker + website: https://www.docker.com +- name: dos2unix + id: dos2unix + category: View or Edit Files + category_path: view+or+edit+files + description: Convert text files with Windows or macOS line breaks to Unix line breaks + and vice versa. + docs_url: https://docs.remnux.org/discover-the-tools/view+or+edit+files + anchor: dos2unix + website: https://waterlan.home.xs4all.nl/dos2unix.html +- name: dotnetfile + id: dotnetfile + category: Examine Static Properties > .NET + category_path: examine+static+properties/.net + description: Analyze static properties of. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/.net + anchor: dotnetfile + website: https://github.com/pan-unit42/dotnetfile +- name: DroidLysis + id: droidlysis + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Perform static analysis of Android applications. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: droidlysis + website: https://github.com/cryptax/droidlysis + additional_categories: + - Statically Analyze Code > Android +- name: emldump.py + id: emldump-py + category: Analyze Documents > Email Messages + category_path: analyze+documents/email+messages + description: Parse and analyze EML files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages + anchor: emldump.py + website: https://blog.didierstevens.com/2020/11/29/update-emldump-py-version-0-0-11/ +- name: EPIC IRC Client + id: epic-irc-client + category: Explore Network Interactions > Connecting + category_path: explore+network+interactions/connecting + description: Examine IRC activities with this IRC client. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + anchor: epic-irc-client + website: https://www.epicsol.org/ +- name: EvilClippy + id: evilclippy + category: Analyze Documents > Microsoft Office + category_path: analyze+documents/microsoft+office + description: Modify aspects of Microsoft Office documents. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + anchor: evilclippy + website: https://github.com/outflanknl/EvilClippy +- name: Evince + id: evince + category: View or Edit Files + category_path: view+or+edit+files + description: View documents in a variety of formats, including PDF. + docs_url: https://docs.remnux.org/discover-the-tools/view+or+edit+files + anchor: evince + website: https://wiki.gnome.org/Apps/Evince +- name: ex_pe_xor.py + id: ex-pe-xor-py + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Search an XOR'ed file for indications of executable binaries. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: ex_pe_xor.py + website: https://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html +- name: ExifTool + id: exiftool + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Tool to read from, write to, and edit EXIF metadata of various file + types. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: exiftool + website: https://exiftool.org/ +- name: fakedns + id: fakedns + category: Explore Network Interactions > Services + category_path: explore+network+interactions/services + description: Respond to DNS queries with the specified IP address. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + anchor: fakedns + website: https://github.com/SocialExploits/fakedns/blob/main/fakedns.py +- name: fakemail + id: fakemail + category: Explore Network Interactions > Services + category_path: explore+network+interactions/services + description: Intercept and examine SMTP email activity with this fake SMTP server. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + anchor: fakemail + website: https://hg.sr.ht/~olly/fakemail +- name: FakeNet-NG + id: fakenet-ng + category: Explore Network Interactions > Services + category_path: explore+network+interactions/services + description: Emulate common network services and interact with malware. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + anchor: fakenet-ng + website: https://github.com/mandiant/flare-fakenet-ng +- name: feh + id: feh + category: View or Edit Files + category_path: view+or+edit+files + description: View images. + docs_url: https://docs.remnux.org/discover-the-tools/view+or+edit+files + anchor: feh + website: https://feh.finalrewind.org +- name: file + id: file + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Identify file type using "magic" numbers. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: file + website: https://github.com/file/file +- name: file-magic.py + id: file-magic-py + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Identify file types using the Python magic module. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: file-magic.py + website: https://blog.didierstevens.com/2018/07/11/new-tool-file-magic-py/ +- name: Firefox + id: firefox + category: General Utilities + category_path: general+utilities + description: Web browser. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: firefox + website: https://www.mozilla.org/firefox/ +- name: FLOSS + id: floss + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Extract and deobfuscate strings from PE executables. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: floss + website: https://github.com/mandiant/flare-floss +- name: format-bytes.py + id: format-bytes-py + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Decompose structured binary data with format strings. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: format-bytes.py + website: https://blog.didierstevens.com/2020/02/17/update-format-bytes-py-version-0-0-13/ +- name: Frida + id: frida + category: Dynamically Reverse-Engineer Code > General + category_path: dynamically+reverse-engineer+code/general + description: Trace the execution of a process to analyze its behavior. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general + anchor: frida + website: https://frida.re +- name: Ghidra + id: ghidra + category: Statically Analyze Code > General + category_path: statically+analyze+code/general + description: Software reverse engineering tool suite. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/general + anchor: ghidra + website: https://ghidra-sre.org +- name: GhidrAssistMCP + id: ghidrassistmcp + category: Use Artificial Intelligence + category_path: use+artificial+intelligence + description: MCP server for AI-assisted reverse engineering in Ghidra. + docs_url: https://docs.remnux.org/discover-the-tools/use+artificial+intelligence + anchor: ghidrassistmcp + website: https://github.com/jtang613/GhidrAssistMCP +- name: GNOME Calculator + id: gnome-calculator + category: General Utilities + category_path: general+utilities + description: Calculator. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: gnome-calculator + website: https://wiki.gnome.org/Apps/Calculator +- name: GNU Wget + id: gnu-wget + category: Explore Network Interactions > Connecting + category_path: explore+network+interactions/connecting + description: Interact with servers via HTTP, HTTPS, FTP, and FTPS using this command-line + tool. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + anchor: gnu-wget + website: https://www.gnu.org/software/wget/ +- name: GoReSym + id: goresym + category: Examine Static Properties > Go + category_path: examine+static+properties/go + description: Extract metadata and symbols from Go binaries, including stripped ones. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/go + anchor: goresym + website: https://github.com/mandiant/GoReSym +- name: Hachoir + id: hachoir + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: View, edit, and carve contents of various binary file types. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: hachoir + website: https://github.com/vstinner/hachoir + additional_categories: + - Analyze Documents > Microsoft Office +- name: Hash ID + id: hash-id + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Identify different types of hashes. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: hash-id + website: https://github.com/blackploit/hash-identifier +- name: hex-to-bin.py + id: hex-to-bin-py + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Convert hexadecimal text dumps to binary data. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: hex-to-bin.py + website: https://blog.didierstevens.com/2020/04/19/update-hex-to-bin-py-version-0-0-5/ +- name: IBus + id: ibus + category: General Utilities + category_path: general+utilities + description: Adjust input methods for the GUI. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: ibus + website: https://github.com/ibus/ibus +- name: ILSpy + id: ilspy + category: Statically Analyze Code > .NET + category_path: statically+analyze+code/.net + description: Examine and decompile. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net + anchor: ilspy + website: https://github.com/icsharpcode/ILSpy +- name: ImageMagick + id: imagemagick + category: View or Edit Files + category_path: view+or+edit+files + description: View and manipulate image and related files. + docs_url: https://docs.remnux.org/discover-the-tools/view+or+edit+files + anchor: imagemagick + website: https://imagemagick.org/ +- name: INetSim + id: inetsim + category: Explore Network Interactions > Services + category_path: explore+network+interactions/services + description: Emulate common network services and interact with malware. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + anchor: inetsim + website: https://www.inetsim.org/ +- name: Info-ZIP + id: info-zip + category: General Utilities + category_path: general+utilities + description: Compress and decompress files using the zip algorithm. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: info-zip + website: http://infozip.sourceforge.net +- name: inspircd 3 + id: inspircd-3 + category: Explore Network Interactions > Services + category_path: explore+network+interactions/services + description: Examine IRC activity with this IRC server. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + anchor: inspircd-3 + website: https://www.inspircd.org/ +- name: ioc_parser + id: ioc-parser + category: Gather and Analyze Data + category_path: gather+and+analyze+data + description: Extract IOCs from security report PDFs. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + anchor: ioc_parser + website: https://github.com/buffer/ioc_parser +- name: ipwhois + id: ipwhois + category: Gather and Analyze Data + category_path: gather+and+analyze+data + description: Retrieve and parse whois data for IP addresses. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + anchor: ipwhois + website: https://github.com/secynic/ipwhois +- name: JADX + id: jadx + category: Statically Analyze Code > Android + category_path: statically+analyze+code/android + description: Generate Java source code from Dalvik Executable (dex) and Android + APK files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + anchor: jadx + website: https://github.com/skylot/jadx +- name: Java IDX Parser + id: java-idx-parser + category: Statically Analyze Code > Java + category_path: statically+analyze+code/java + description: Analyze Java IDX files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/java + anchor: java-idx-parser + website: https://github.com/digitalsleuth/Java_IDX_Parser +- name: Javassist + id: javassist + category: Statically Analyze Code > Java + category_path: statically+analyze+code/java + description: Java bytecode engineering toolkit/library. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/java + anchor: javassist + website: https://www.javassist.org/ +- name: JD-GUI Java Decompiler + id: jd-gui-java-decompiler + category: Statically Analyze Code > Java + category_path: statically+analyze+code/java + description: Java decompiler with GUI. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/java + anchor: jd-gui-java-decompiler + website: https://java-decompiler.github.io/ +- name: JS Beautifier + id: js-beautifier + category: Statically Analyze Code > Scripts + category_path: statically+analyze+code/scripts + description: Reformat JavaScript scripts for easier analysis. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts + anchor: js-beautifier + website: https://beautifier.io/ +- name: JStillery + id: jstillery + category: Dynamically Reverse-Engineer Code > Scripts + category_path: dynamically+reverse-engineer+code/scripts + description: Deobfuscate JavaScript scripts using AST and Partial Evaluation techniques. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + anchor: jstillery + website: https://github.com/mindedsecurity/jstillery +- name: libemu + id: libemu + category: Dynamically Reverse-Engineer Code > Shellcode + category_path: dynamically+reverse-engineer+code/shellcode + description: A library for x86 code emulation and shellcode detection. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode + anchor: libemu + website: https://github.com/buffer/libemu +- name: libolecf + id: libolecf + category: Analyze Documents > Microsoft Office + category_path: analyze+documents/microsoft+office + description: Microsoft Office OLE2 compound documents. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + anchor: libolecf + website: https://github.com/libyal/libolecf +- name: LIEF + id: lief + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Parse and analyze PE, ELF, MachO, DEX, OAT, VDEX, ART, and DWARF executable + formats. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: lief + website: https://lief.re +- name: Magika + id: magika + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Identify file type using signatures. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: magika + website: https://google.github.io/magika +- name: mail-parser + id: mail-parser + category: Analyze Documents > Email Messages + category_path: analyze+documents/email+messages + description: Parse raw SMTP and. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages + anchor: mail-parser + website: https://github.com/SpamScope/mail-parser +- name: Malcat Lite + id: malcat-lite + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Analyze binary files using a hex editor, disassembler, and file dissector. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: malcat-lite + website: https://malcat.fr +- name: Malchive + id: malchive + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Perform static analysis of various aspects of malicious code. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: malchive + website: https://github.com/MITRECND/malchive + additional_categories: + - Statically Analyze Code > PE Files +- name: malwoverview + id: malwoverview + category: Gather and Analyze Data + category_path: gather+and+analyze+data + description: Query public repositories of malware data (e. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + anchor: malwoverview + website: https://github.com/alexandreborges/malwoverview +- name: mbcscan + id: mbcscan + category: Statically Analyze Code > PE Files + category_path: statically+analyze+code/pe-files + description: Scan a PE file to list the associated Malware Behavior Catalog (MBC) + details. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files + anchor: mbcscan + website: https://github.com/accidentalrebel/mbcscan +- name: mitmproxy + id: mitmproxy + category: Explore Network Interactions > Monitoring + category_path: explore+network+interactions/monitoring + description: Investigate website interactions using this web proxy. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + anchor: mitmproxy + website: https://mitmproxy.org +- name: monodis + id: monodis + category: Examine Static Properties > .NET + category_path: examine+static+properties/.net + description: Disassemble and extract resources from. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/.net + anchor: monodis + website: https://www.mono-project.com/docs/tools+libraries/tools/monodis/ +- name: msg-extractor + id: msg-extractor + category: Analyze Documents > Email Messages + category_path: analyze+documents/email+messages + description: Extract emails and attachments from MSG files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages + anchor: msg-extractor + website: https://github.com/TeamMsgExtractor/msg-extractor +- name: msgconvert + id: msgconvert + category: Analyze Documents > Email Messages + category_path: analyze+documents/email+messages + description: Convert MSG files to MBOX files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages + anchor: msgconvert + website: https://www.matijs.net/software/msgconv/ +- name: msitools + id: msitools + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Create, inspect and extract Windows Installer (. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: msitools + website: https://wiki.gnome.org/msitools +- name: msoffcrypto-crack.py + id: msoffcrypto-crack-py + category: Analyze Documents > Microsoft Office + category_path: analyze+documents/microsoft+office + description: Recover the password of an encrypted Microsoft Office document. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + anchor: msoffcrypto-crack.py + website: https://blog.didierstevens.com/2018/12/31/new-tool-msoffcrypto-crack-py/ +- name: msoffcrypto-tool + id: msoffcrypto-tool + category: Analyze Documents > Microsoft Office + category_path: analyze+documents/microsoft+office + description: Decrypt a Microsoft Office file with password, intermediate key, or + private key which generated its escrow key. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + anchor: msoffcrypto-tool + website: https://github.com/nolze/msoffcrypto-tool +- name: msoffice-crypt + id: msoffice-crypt + category: Analyze Documents > Microsoft Office + category_path: analyze+documents/microsoft+office + description: Encrypt and decrypt OOXML Microsoft Office documents. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + anchor: msoffice-crypt + website: https://github.com/herumi/msoffice +- name: myip + id: myip + category: General Utilities + category_path: general+utilities + description: Determine the IP address of the default network interface. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: myip + website: https://github.com/REMnux/distro/blob/master/files/myip +- name: myjson-filter.py + id: myjson-filter-py + category: General Utilities + category_path: general+utilities + description: Filter data formatted using the JSON format used by Didier Stevens' + tools. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: myjson-filter.py + website: https://blog.didierstevens.com/2022/04/09/new-tool-myjson-filter-py/ +- name: Name-That-Hash + id: name-that-hash + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Identify dfferent types of hashes. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: name-that-hash + website: https://github.com/HashPals/Name-That-Hash +- name: nasm + id: nasm + category: General Utilities + category_path: general+utilities + description: An x86-64 assembler. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: nasm + website: https://www.nasm.us +- name: Nautilus + id: nautilus + category: General Utilities + category_path: general+utilities + description: Graphical file manager. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: nautilus + website: https://gitlab.gnome.org/GNOME/nautilus +- name: netcat + id: netcat + category: Explore Network Interactions > Connecting + category_path: explore+network+interactions/connecting + description: Read and write data across network connections. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + anchor: netcat + website: https://nc110.sourceforge.io/ + additional_categories: + - Explore Network Interactions > Services +- name: Network Miner Free Edition + id: network-miner-free-edition + category: Explore Network Interactions > Monitoring + category_path: explore+network+interactions/monitoring + description: Examine network traffic and carve PCAP capture files. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + anchor: network-miner-free-edition + website: https://www.netresec.com +- name: Nginx + id: nginx + category: Explore Network Interactions > Services + category_path: explore+network+interactions/services + description: Web server. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + anchor: nginx + website: https://nginx.org +- name: ngrep + id: ngrep + category: Explore Network Interactions > Monitoring + category_path: explore+network+interactions/monitoring + description: Look for patterns in network traffic. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + anchor: ngrep + website: https://github.com/jpr5/ngrep/ +- name: NoMoreXOR.py + id: nomorexor-py + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Help guess a file's 256-byte XOR by using frequency analysis. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: nomorexor.py + website: https://github.com/digitalsleuth/NoMoreXOR +- name: nsrllookup + id: nsrllookup + category: Gather and Analyze Data + category_path: gather+and+analyze+data + description: Look up MD5 file hashes in the NIST National Software Reference Library + (NSRL). + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + anchor: nsrllookup + website: https://github.com/rjhansen/nsrllookup +- name: numbers-to-string.py + id: numbers-to-string-py + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Convert decimal numbers to strings. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: numbers-to-string + website: https://blog.didierstevens.com/2020/12/12/update-numbers-to-string-py-version-0-0-11/ + additional_categories: + - Examine Static Properties > Deobfuscation +- name: objdump + id: objdump + category: Statically Analyze Code > General + category_path: statically+analyze+code/general + description: Disassemble binary files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/general + anchor: objdump + website: https://en.wikipedia.org/wiki/Objdump +- name: objects.js + id: objects-js + category: Dynamically Reverse-Engineer Code > Scripts + category_path: dynamically+reverse-engineer+code/scripts + description: Emulate common browser and PDF viewer objects, methods, and properties + when deobfuscating JavaScript. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + anchor: objects.js + website: https://github.com/REMnux/salt-states/blob/master/remnux/config/objects/objects.js +- name: oledump.py + id: oledump-py + category: Analyze Documents > Microsoft Office + category_path: analyze+documents/microsoft+office + description: Analyze OLE2 Structured Storage files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + anchor: oledump.py + website: https://blog.didierstevens.com/programs/oledump-py/ +- name: olefile + id: olefile + category: Analyze Documents > Microsoft Office + category_path: analyze+documents/microsoft+office + description: Python package to parse, read and write MS OLE2 files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + anchor: olefile + website: https://github.com/decalage2/olefile +- name: oletools + id: oletools + category: Analyze Documents > Microsoft Office + category_path: analyze+documents/microsoft+office + description: Microsoft Office OLE2 compound documents. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + anchor: oletools + website: https://www.decalage.info/python/oletools +- name: onedump.py + id: onedump-py + category: Analyze Documents > Microsoft Office + category_path: analyze+documents/microsoft+office + description: Extract and analyze embedded files from OneNote documents. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + anchor: onedump.py + website: https://blog.didierstevens.com/2023/01/22/new-tool-onedump-py/ +- name: OpenCode + id: opencode + category: Use Artificial Intelligence + category_path: use+artificial+intelligence + description: Open-source AI coding agent for the terminal. + docs_url: https://docs.remnux.org/discover-the-tools/use+artificial+intelligence + anchor: opencode + website: https://opencode.ai +- name: OpenSSH + id: openssh + category: General Utilities + category_path: general+utilities + description: Initiate and receive SSH and SFTP connections. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: openssh + website: https://www.openssh.com +- name: Origamindee + id: origamindee + category: Analyze Documents > PDF + category_path: analyze+documents/pdf + description: Parse, modify, generate PDF files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + anchor: origamindee + website: https://github.com/mindee/origamindee +- name: pcode2code + id: pcode2code + category: Analyze Documents > Microsoft Office + category_path: analyze+documents/microsoft+office + description: Decompile VBA macro p-code from Microsoft Office documents. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + anchor: pcode2code + website: https://github.com/Big5-sec/pcode2code +- name: pcodedmp + id: pcodedmp + category: Analyze Documents > Microsoft Office + category_path: analyze+documents/microsoft+office + description: Disassemble VBA p-code. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + anchor: pcodedmp + website: https://github.com/bontchev/pcodedmp +- name: pdf-parser.py + id: pdf-parser-py + category: Analyze Documents > PDF + category_path: analyze+documents/pdf + description: Examine elements of the PDF file. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + anchor: pdf-parser.py + website: https://blog.didierstevens.com/programs/pdf-tools/ +- name: pdfid.py + id: pdfid-py + category: Analyze Documents > PDF + category_path: analyze+documents/pdf + description: Identify suspicious elements of the PDF file. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + anchor: pdfid.py + website: https://blog.didierstevens.com/programs/pdf-tools/ +- name: pdfresurrect + id: pdfresurrect + category: Analyze Documents > PDF + category_path: analyze+documents/pdf + description: Extract previous versions of content from PDF files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + anchor: pdfresurrect + website: https://github.com/enferex/pdfresurrect +- name: pdftk-java + id: pdftk-java + category: Analyze Documents > PDF + category_path: analyze+documents/pdf + description: Edit, create, and examine PDF files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + anchor: pdftk-java + website: https://gitlab.com/pdftk-java/pdftk +- name: pdftool.py + id: pdftool-py + category: Analyze Documents > PDF + category_path: analyze+documents/pdf + description: Analyze PDF files to identify incremental updates to the document. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + anchor: pdftool.py + website: https://blog.didierstevens.com/2021/01/31/new-tool-pdftool-py/ +- name: pdnstool + id: pdnstool + category: Gather and Analyze Data + category_path: gather+and+analyze+data + description: Query passive DNS databases for DNS data. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + anchor: pdnstool + website: https://github.com/chrislee35/passivedns-client +- name: peepdf-3 + id: peepdf-3 + category: Analyze Documents > PDF + category_path: analyze+documents/pdf + description: Examine elements of the PDF file. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + anchor: peepdf-3 + website: https://github.com/digitalsleuth/peepdf-3 +- name: PolarProxy + id: polarproxy + category: Explore Network Interactions > Monitoring + category_path: explore+network+interactions/monitoring + description: Intercept and decrypt TLS traffic. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + anchor: polarproxy + website: https://www.netresec.com +- name: PowerShell Core + id: powershell-core + category: Dynamically Reverse-Engineer Code > Scripts + category_path: dynamically+reverse-engineer+code/scripts + description: Run PowerShell scripts and commands. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + anchor: powershell-core + website: https://github.com/powershell/powershell + additional_categories: + - General Utilities +- name: ProcDOT + id: procdot + category: Investigate System Interactions + category_path: investigate+system+interactions + description: Visualize and examine the output of Process Monitor. + docs_url: https://docs.remnux.org/discover-the-tools/investigate+system+interactions + anchor: procdot + website: https://www.procdot.com +- name: Procyon + id: procyon + category: Statically Analyze Code > Java + category_path: statically+analyze+code/java + description: Java decompiler. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/java + anchor: procyon + website: https://github.com/mstrobel/procyon +- name: PyInstaller Extractor + id: pyinstaller-extractor + category: Statically Analyze Code > Python + category_path: statically+analyze+code/python + description: Extract contents of a PyInstaller-generated PE files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/python + anchor: pyinstaller-extractor + website: https://github.com/extremecoders-re/pyinstxtractor +- name: pyinstxtractor-ng + id: pyinstxtractor-ng + category: Statically Analyze Code > Python + category_path: statically+analyze+code/python + description: Extract contents of PyInstaller-generated executables without requiring + a matching Python version. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/python + anchor: pyinstxtractor-ng + website: https://github.com/pyinstxtractor/pyinstxtractor-ng +- name: Qiling + id: qiling + category: Statically Analyze Code > General + category_path: statically+analyze+code/general + description: Emulate code execution of PE files, shellcode, etc. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/general + anchor: qiling + website: https://www.qiling.io + additional_categories: + - Dynamically Reverse-Engineer Code > Shellcode +- name: qpdf + id: qpdf + category: Analyze Documents > PDF + category_path: analyze+documents/pdf + description: Manipulate (merge, convert, transform) PDF files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + anchor: qpdf + website: http://qpdf.sourceforge.net/ +- name: r2pipe + id: r2pipe + category: Dynamically Reverse-Engineer Code > General + category_path: dynamically+reverse-engineer+code/general + description: Examine binary files, including disassembling and debugging. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general + anchor: r2pipe + website: https://rada.re/n/r2pipe.html +- name: radare2 + id: radare2 + category: Dynamically Reverse-Engineer Code > General + category_path: dynamically+reverse-engineer+code/general + description: Examine binary files, including disassembling and debugging. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general + anchor: radare2 + website: https://www.radare.org/n/radare2.html + additional_categories: + - Use Artificial Intelligence +- name: RAR + id: rar + category: General Utilities + category_path: general+utilities + description: Compress and decompress files using a variety of algorithms. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: rar + website: https://www.rarlab.com +- name: re-search.py + id: re-search-py + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Search the file for built-in regular expressions of common suspicious + artifacts. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: re-search.py + website: https://blog.didierstevens.com/2021/05/23/update-re-search-py-version-0-0-17/ + additional_categories: + - Examine Static Properties > Deobfuscation +- name: Redress + id: redress + category: Examine Static Properties > Go + category_path: examine+static+properties/go + description: Analyze stripped Go binaries to recover symbols, types, source structure, + and integrate with Radare2. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/go + anchor: redress + website: https://github.com/goretk/redress +- name: REMnux Installer + id: remnux-installer + category: General Utilities + category_path: general+utilities + description: Install and update the REMnux distro. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: remnux-installer + website: https://github.com/REMnux/distro/blob/master/files/remnux-installer.sh +- name: REMnux MCP Server + id: remnux-mcp-server + category: Use Artificial Intelligence + category_path: use+artificial+intelligence + description: MCP server for using the REMnux malware analysis toolkit via AI assistants. + docs_url: https://docs.remnux.org/discover-the-tools/use+artificial+intelligence + anchor: remnux-mcp-server + website: https://github.com/REMnux/remnux-mcp-server +- name: Rhino Debugger + id: rhino-debugger + category: Dynamically Reverse-Engineer Code > Scripts + category_path: dynamically+reverse-engineer+code/scripts + description: GUI JavaScript debugger. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + anchor: rhino-debugger + website: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/Debugger +- name: RSAKeyFinder + id: rsakeyfinder + category: Perform Memory Forensics + category_path: perform+memory+forensics + description: Find BER-encoded RSA private keys in a memory image. + docs_url: https://docs.remnux.org/discover-the-tools/perform+memory+forensics + anchor: rsakeyfinder + website: https://citp.princeton.edu/our-work/memory/ +- name: rtfdump.py + id: rtfdump-py + category: Analyze Documents > Microsoft Office + category_path: analyze+documents/microsoft+office + description: Analyze a suspicious RTF file. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + anchor: rtfdump.py + website: https://blog.didierstevens.com/2018/12/10/update-rtfdump-py-version-0-0-9/ +- name: runsc + id: runsc + category: Dynamically Reverse-Engineer Code > Shellcode + category_path: dynamically+reverse-engineer+code/shellcode + description: Run shellcode to trace and analyze its execution. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode + anchor: runsc + website: https://github.com/edygert/runsc +- name: sandfly-processdecloak + id: sandfly-processdecloak + category: Investigate System Interactions + category_path: investigate+system+interactions + description: Find hidden processes on the local Linux system. + docs_url: https://docs.remnux.org/discover-the-tools/investigate+system+interactions + anchor: sandfly-processdecloak + website: https://github.com/sandflysecurity/sandfly-processdecloak +- name: Scalpel + id: scalpel + category: Gather and Analyze Data + category_path: gather+and+analyze+data + description: Carve contents out of binary files, such as partitions. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + anchor: scalpel + website: https://github.com/sleuthkit/scalpel +- name: scdbg + id: scdbg + category: Dynamically Reverse-Engineer Code > Shellcode + category_path: dynamically+reverse-engineer+code/shellcode + description: Analyze shellcode by emulating its execution. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode + anchor: scdbg + website: http://sandsprite.com/blogs/index.php?uid=7&pid=152 +- name: SciTE + id: scite + category: View or Edit Files + category_path: view+or+edit+files + description: Edit text files. + docs_url: https://docs.remnux.org/discover-the-tools/view+or+edit+files + anchor: scite + website: https://www.scintilla.org/SciTE.html +- name: sets.py + id: sets-py + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Perform set operations on lines or bytes in text files. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: sets.py + website: https://blog.didierstevens.com/2017/03/05/new-tool-sets-py/ +- name: shcode2exe + id: shcode2exe + category: Dynamically Reverse-Engineer Code > Shellcode + category_path: dynamically+reverse-engineer+code/shellcode + description: Convert 32 and 64-bit shellcode to a Windows executable file. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode + anchor: shcode2exe + website: https://github.com/accidentalrebel/shcode2exe +- name: shellcode2exe.bat + id: shellcode2exe-bat + category: Dynamically Reverse-Engineer Code > Shellcode + category_path: dynamically+reverse-engineer+code/shellcode + description: Convert 32 and 64-bit shellcode to a Windows executable file. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode + anchor: shellcode2exe.bat + website: https://github.com/repnz/shellcode2exe +- name: signsrch + id: signsrch + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Find patterns of common encryption, compression, or encoding algorithms. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: signsrch + website: http://aluigi.altervista.org/mytoolz.htm +- name: Sleuth Kit + id: sleuth-kit + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Analyze disk images and recover files from them. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: sleuth-kit + website: https://www.sleuthkit.org/sleuthkit +- name: sortcanon.py + id: sortcanon-py + category: General Utilities + category_path: general+utilities + description: Sort text files using canonicalization functions built into this tool. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: sortcanon.py + website: https://blog.didierstevens.com/2022/06/18/new-tool-sortcanon-py/ +- name: Speakeasy + id: speakeasy + category: Statically Analyze Code > PE Files + category_path: statically+analyze+code/pe-files + description: Emulate code execution, including shellcode, Windows drivers, and Windows + PE files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files + anchor: speakeasy + website: https://github.com/mandiant/speakeasy + additional_categories: + - Dynamically Reverse-Engineer Code > Shellcode +- name: SpiderMonkey + id: spidermonkey + category: Dynamically Reverse-Engineer Code > Scripts + category_path: dynamically+reverse-engineer+code/scripts + description: Execute and deobfuscate JavaScript using Mozilla's standalone + JavaScript engine. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + anchor: spidermonkey + website: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey +- name: SpiderMonkey (Patched) + id: spidermonkey-patched + category: Dynamically Reverse-Engineer Code > Scripts + category_path: dynamically+reverse-engineer+code/scripts + description: Execute and deobfuscate JavaScript using a patched version of Mozilla's + standalone JavaScript engine. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + anchor: spidermonkey-patched + website: https://blog.didierstevens.com/2018/04/19/update-patched-spidermonkey/ +- name: SQLite + id: sqlite + category: General Utilities + category_path: general+utilities + description: Manage and interact with SQL database files. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: sqlite + website: http://www.sqlite.org +- name: ssdeep + id: ssdeep + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Compute Context Triggered Piecewise Hashes (CTPH), also known as fuzzy + hashes. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: ssdeep + website: https://ssdeep-project.github.io/ssdeep/index.html +- name: SSView + id: ssview + category: Analyze Documents > Microsoft Office + category_path: analyze+documents/microsoft+office + description: Analyze OLE2 Structured Storage files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + anchor: ssview + website: https://www.mitec.cz/ssv.html +- name: STPyV8 + id: stpyv8 + category: Dynamically Reverse-Engineer Code > Scripts + category_path: dynamically+reverse-engineer+code/scripts + description: Python3 and JavaScript interop engine, fork of the original PyV8 project. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + anchor: stpyv8 + website: https://github.com/cloudflare/stpyv8 +- name: strdeob.pl + id: strdeob-pl + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Locate and decode stack strings in executable files. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: strdeob.pl + website: https://github.com/REMnux/distro/blob/master/files/strdeob.pl +- name: strings.py + id: strings-py + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Extract ASCII and Unicode strings from binary files with length sorting + and filtering. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: strings.py + website: https://blog.didierstevens.com/2020/12/19/update-strings-py-version-0-0-6/ +- name: tcpdump + id: tcpdump + category: Explore Network Interactions > Monitoring + category_path: explore+network+interactions/monitoring + description: Capture and analyze network traffic with this command-line sniffer. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + anchor: tcpdump + website: https://www.tcpdump.org +- name: tcpflow + id: tcpflow + category: Explore Network Interactions > Monitoring + category_path: explore+network+interactions/monitoring + description: Analyze the flow of network traffic. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + anchor: tcpflow + website: https://downloads.digitalcorpora.org/downloads/tcpflow/ +- name: tcpick + id: tcpick + category: Explore Network Interactions > Monitoring + category_path: explore+network+interactions/monitoring + description: Capture and analyze network traffic with this command-line sniffer. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + anchor: tcpick + website: http://tcpick.sourceforge.net +- name: tcpxtract + id: tcpxtract + category: Explore Network Interactions > Monitoring + category_path: explore+network+interactions/monitoring + description: Extract files from network traffic. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + anchor: tcpxtract + website: http://tcpxtract.sourceforge.net +- name: Tesseract OCR + id: tesseract-ocr + category: Analyze Documents > General + category_path: analyze+documents/general + description: Examine images to identify and extract text using optical character + recognition (OCR). + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/general + anchor: tesseract-ocr + website: https://github.com/tesseract-ocr/tesseract +- name: texteditor.py + id: texteditor-py + category: General Utilities + category_path: general+utilities + description: Edit text files from the command line using search-and-replace commands. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: texteditor.py + website: https://blog.didierstevens.com/2021/07/05/new-tool-texteditor-py/ +- name: thefuzz + id: thefuzz + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Fuzzy String Matching in Python. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: thefuzz + website: https://github.com/seatgeek/thefuzz +- name: thug + id: thug + category: Explore Network Interactions > Connecting + category_path: explore+network+interactions/connecting + description: Examine suspicious website using this low-interaction honeyclient. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + anchor: thug + website: https://github.com/buffer/thug +- name: time-decode + id: time-decode + category: Gather and Analyze Data + category_path: gather+and+analyze+data + description: Decode and encode date and timestamps. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + anchor: time-decode + website: https://github.com/digitalsleuth/time_decode +- name: tor + id: tor + category: Explore Network Interactions > Connecting + category_path: explore+network+interactions/connecting + description: Obfuscate your origins by routing traffic through a network of anonymizing + nodes. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + anchor: tor + website: https://www.torproject.org +- name: translate.py + id: translate-py + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Translate bytes according to a Python expression. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: translate.py + website: https://blog.didierstevens.com/programs/translate/ +- name: TrID + id: trid + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Identify file type using signatures. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: trid + website: https://mark0.net/soft-trid-e.html + additional_categories: + - Statically Analyze Code > Unpacking +- name: tshark + id: tshark + category: Explore Network Interactions > Monitoring + category_path: explore+network+interactions/monitoring + description: Capture and analyze network traffic with this console-based sniffer. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + anchor: tshark + website: https://www.wireshark.org +- name: uncompyle6 + id: uncompyle6 + category: Statically Analyze Code > Python + category_path: statically+analyze+code/python + description: Python cross-version bytecode decompiler for Python 1. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/python + anchor: uncompyle6 + website: https://github.com/rocky/python-uncompyle6 +- name: Unfurl + id: unfurl + category: Explore Network Interactions > Connecting + category_path: explore+network+interactions/connecting + description: Deconstruct and decode data from a URL. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + anchor: unfurl + website: https://github.com/obsidianforensics/unfurl +- name: Unhide + id: unhide + category: Investigate System Interactions + category_path: investigate+system+interactions + description: Find hidden processes or connections on the local Linux system. + docs_url: https://docs.remnux.org/discover-the-tools/investigate+system+interactions + anchor: unhide + website: http://www.unhide-forensics.info +- name: unicode + id: unicode + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Display Unicode character properties. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: unicode + website: https://github.com/garabik/unicode +- name: unrar-free + id: unrar-free + category: General Utilities + category_path: general+utilities + description: Decompress files using a variety of algorithms. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + anchor: unrar-free + website: https://www.rarlab.com +- name: unXOR + id: unxor + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Deobfuscate XOR'ed files. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: unxor + website: https://github.com/tomchop/unxor/ +- name: UPX + id: upx + category: Statically Analyze Code > Unpacking + category_path: statically+analyze+code/unpacking + description: Pack and unpack PE files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking + anchor: upx + website: https://upx.github.io +- name: VBinDiff + id: vbindiff + category: View or Edit Files + category_path: view+or+edit+files + description: Compare binary files. + docs_url: https://docs.remnux.org/discover-the-tools/view+or+edit+files + anchor: vbindiff + website: https://www.cjmweb.net/vbindiff/ +- name: virustotal-search + id: virustotal-search + category: Gather and Analyze Data + category_path: gather+and+analyze+data + description: Search VirusTotal for file hashes. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + anchor: virustotal-search + website: https://blog.didierstevens.com/programs/virustotal-tools/ +- name: virustotal-submit + id: virustotal-submit + category: Gather and Analyze Data + category_path: gather+and+analyze+data + description: Submit files to VirusTotal. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + anchor: virustotal-submit + website: https://blog.didierstevens.com/programs/virustotal-tools/ +- name: Visual Studio Code + id: visual-studio-code + category: View or Edit Files + category_path: view+or+edit+files + description: Powerful source code editor. + docs_url: https://docs.remnux.org/discover-the-tools/view+or+edit+files + anchor: visual-studio-code + website: https://code.visualstudio.com/ +- name: Vivisect + id: vivisect + category: Statically Analyze Code > General + category_path: statically+analyze+code/general + description: Statically examine and emulate binary files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/general + anchor: vivisect + website: https://github.com/vivisect/vivisect +- name: Volatility Framework + id: volatility-framework + category: Perform Memory Forensics + category_path: perform+memory+forensics + description: Memory forensics tool and framework. + docs_url: https://docs.remnux.org/discover-the-tools/perform+memory+forensics + anchor: volatility-framework + website: https://github.com/volatilityfoundation/volatility3 +- name: Wine + id: wine + category: Dynamically Reverse-Engineer Code > General + category_path: dynamically+reverse-engineer+code/general + description: Run Windows applications. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general + anchor: wine + website: https://www.winehq.org + additional_categories: + - General Utilities +- name: wireshark + id: wireshark + category: Explore Network Interactions > Monitoring + category_path: explore+network+interactions/monitoring + description: Capture and analyze network traffic with this sniffer. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + anchor: wireshark + website: https://www.wireshark.org +- name: wxHexEditor + id: wxhexeditor + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Hex editor. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: wxhexeditor + website: https://sourceforge.net/projects/wxhexeditor/ + additional_categories: + - View or Edit Files +- name: XLMMacroDeobfuscator + id: xlmmacrodeobfuscator + category: Analyze Documents > Microsoft Office + category_path: analyze+documents/microsoft+office + description: Deobfuscate XLM macros (also known as Excel 4. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + anchor: xlmmacrodeobfuscator + website: https://github.com/DissectMalware/XLMMacroDeobfuscator +- name: xmldump.py + id: xmldump-py + category: Analyze Documents > Microsoft Office + category_path: analyze+documents/microsoft+office + description: Extract contents of XML files, in particular OOXML-formatted Microsoft + Office documents. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + anchor: xmldump.py + website: https://blog.didierstevens.com/2017/12/18/new-tool-xmldump-py/ +- name: xor-kpa.py + id: xor-kpa-py + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Implement a XOR known plaintext attack. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: xor-kpa.py + website: https://blog.didierstevens.com/2017/06/06/update-xor-kpa-py-version-0-0-5/ +- name: xorBruteForcer.py + id: xorbruteforcer-py + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Bruteforce an XOR-encoded file. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: xorbruteforcer.py + website: https://eternal-todo.com/category/bruteforcer +- name: XORSearch + id: xorsearch + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Locate and decode strings obfuscated using common techniques. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: xorsearch + website: https://blog.didierstevens.com/programs/xorsearch/ + additional_categories: + - Dynamically Reverse-Engineer Code > Shellcode +- name: xorsearch.py + id: xorsearch-py + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Search for XOR, ROL, ROT, and SHIFT encoded strings with YARA and regex + support. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: xorsearch.py + website: https://blog.didierstevens.com/2020/08/23/new-tool-xorsearch-py/ +- name: XORStrings + id: xorstrings + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Search for XOR encoded strings in a file. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: xorstrings + website: https://blog.didierstevens.com/2013/04/15/new-tool-xorstrings/ +- name: xortool + id: xortool + category: Examine Static Properties > Deobfuscation + category_path: examine+static+properties/deobfuscation + description: Analyze XOR-encoded data. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + anchor: xortool + website: https://github.com/hellman/xortool +- name: Yara + id: yara + category: Gather and Analyze Data + category_path: gather+and+analyze+data + description: Identify and classify malware samples using Yara rules. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + anchor: yara + website: https://virustotal.github.io/yara/ +- name: YARA-Forge Rules + id: yara-forge-rules + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Scan files with curated YARA rules from 45+ sources for malware family + identification. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: yara-forge-rules + website: https://yarahq.github.io/ +- name: Yara Rules + id: yara-rules + category: Examine Static Properties > General + category_path: examine+static+properties/general + description: Scan a file with YARA rules to identify capabilities and behaviors + (packer detection, anti-debug, networking). + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + anchor: yara-rules + website: https://github.com/Yara-Rules/rules +- name: YARA-X + id: yara-x + category: Gather and Analyze Data + category_path: gather+and+analyze+data + description: Scan files using YARA rules, the next generation of YARA written in + Rust. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + anchor: yara-x + website: https://github.com/VirusTotal/yara-x +- name: zbarimg + id: zbarimg + category: Explore Network Interactions > Connecting + category_path: explore+network+interactions/connecting + description: Decode QR codes and barcodes from image files. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + anchor: zbarimg + website: https://github.com/mchehab/zbar +- name: zipdump.py + id: zipdump-py + category: Analyze Documents > Microsoft Office + category_path: analyze+documents/microsoft+office + description: Analyze zip-compressed files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + anchor: zipdump.py + website: https://blog.didierstevens.com/2020/07/27/update-zipdump-py-version-0-0-20/ diff --git a/data/remnux/sources/salt-states.yaml b/data/remnux/sources/salt-states.yaml new file mode 100644 index 0000000..5b879b4 --- /dev/null +++ b/data/remnux/sources/salt-states.yaml @@ -0,0 +1,1888 @@ +metadata: + source: https://github.com/REMnux/salt-states + branch: master + total_sls_files: 377 + total_tools_extracted: 340 + install_method_counts: + apt: 183 + script: 15 + pip: 59 + unknown: 44 + manual: 25 + perl: 7 + npm: 4 + gem: 3 + salt_directories: + - config + - network + - node-packages + - packages + - perl-packages + - python3-packages + - repos + - rubygems + - scripts + - theme + - theme-dedicated + - tools +tools: +- id: 7zip + package_names: + - remnux-packages-p7zip-full + - remnux-packages-7zz + - p7zip-full + - 7zz + install_method: apt + salt_state_path: remnux/packages/7zip.sls +- id: accept-all-ips + package_names: + - accept-all-ips + install_method: script + salt_state_path: remnux/scripts/accept-all-ips.sls +- id: aeskeyfind + package_names: + - aeskeyfind + install_method: apt + salt_state_path: remnux/packages/aeskeyfind.sls +- id: androguard + package_names: + - remnux-python3-packages-androguard + - androguard + install_method: pip + salt_state_path: remnux/python3-packages/androguard.sls +- id: android-project-creator + package_names: + - android-project-creator + install_method: unknown + salt_state_path: remnux/config/android-project-creator.sls +- id: anomy + package_names: + - anomy + install_method: script + salt_state_path: remnux/scripts/anomy.sls +- id: apkid + package_names: + - remnux-python3-packages-apkid + - apkid + install_method: pip + salt_state_path: remnux/python3-packages/apkid.sls +- id: apktool + package_names: + - apktool + install_method: manual + salt_state_path: remnux/tools/apktool.sls +- id: apt-utils + package_names: + - apt-utils + install_method: apt + salt_state_path: remnux/packages/apt-utils.sls +- id: archive-zip + package_names: + - cpan + install_method: perl + salt_state_path: remnux/perl-packages/archive-zip.sls +- id: autoconf + package_names: + - autoconf + install_method: apt + salt_state_path: remnux/packages/autoconf.sls +- id: autoit-ripper + package_names: + - remnux-python3-packages-autoit-ripper-install + - autoit-ripper + install_method: pip + salt_state_path: remnux/python3-packages/autoit-ripper.sls +- id: autologin + package_names: + - autologin + install_method: unknown + salt_state_path: remnux/theme/autologin.sls +- id: automake + package_names: + - automake + install_method: apt + salt_state_path: remnux/packages/automake.sls +- id: baksmali + package_names: + - baksmali + install_method: apt + salt_state_path: remnux/packages/baksmali.sls +- id: balbuzard + package_names: + - remnux-python3-packages-balbuzard-install + - balbuzard-3 + - '{{' + install_method: pip + salt_state_path: remnux/python3-packages/balbuzard.sls +- id: bash-history + package_names: + - bash-history + install_method: unknown + salt_state_path: remnux/config/bash-history.sls +- id: bash-rc + package_names: + - bash-rc + install_method: unknown + salt_state_path: remnux/config/bash-rc.sls +- id: bearparser + package_names: + - bearparser + install_method: apt + salt_state_path: remnux/packages/bearparser.sls +- id: binee + package_names: + - binee + install_method: unknown + salt_state_path: remnux/config/binee.sls +- id: binutils + package_names: + - binutils + install_method: apt + salt_state_path: remnux/packages/binutils.sls +- id: binwalk + package_names: + - binwalk + install_method: apt + salt_state_path: remnux/packages/binwalk.sls +- id: box-js + package_names: + - box-js + install_method: npm + salt_state_path: remnux/node-packages/box-js.sls +- id: brxor + package_names: + - brxor.py + install_method: pip + salt_state_path: remnux/python3-packages/brxor.sls +- id: build-essential + package_names: + - build-essential + install_method: apt + salt_state_path: remnux/packages/build-essential.sls +- id: bulk-extractor + package_names: + - bulk-extractor + install_method: apt + salt_state_path: remnux/packages/bulk-extractor.sls +- id: bundler + package_names: + - bundler + install_method: apt + salt_state_path: remnux/packages/bundler.sls +- id: burpsuite-community + package_names: + - remnux-packages-burpsuite-community + - burpsuite-community + install_method: apt + salt_state_path: remnux/packages/burpsuite-community.sls +- id: bytehist + package_names: + - bytehist + install_method: manual + salt_state_path: remnux/tools/bytehist.sls +- id: cabextract + package_names: + - cabextract + install_method: apt + salt_state_path: remnux/packages/cabextract.sls +- id: capa + package_names: + - capa + install_method: manual + salt_state_path: remnux/tools/capa.sls +- id: cast + package_names: + - remnux-packages-cast + install_method: apt + salt_state_path: remnux/packages/cast.sls +- id: cffi + package_names: + - remnux-python3-packages-cffi + - cffi + install_method: pip + salt_state_path: remnux/python3-packages/cffi.sls +- id: cfr + package_names: + - cfr + install_method: manual + salt_state_path: remnux/tools/cfr.sls +- id: chepy + package_names: + - remnux-python3-packages-chepy + - remnux-python3-packages-chepy-extras + - chepy + - chepy[extras] + install_method: pip + salt_state_path: remnux/python3-packages/chepy.sls +- id: clamav-daemon + package_names: + - clamav-daemon + - clamav-freshclam + install_method: apt + salt_state_path: remnux/packages/clamav-daemon.sls +- id: compatibility + package_names: + - compatibility + install_method: unknown + salt_state_path: remnux/theme/compatibility.sls +- id: crypt-blowfish + package_names: + - cpan + install_method: perl + salt_state_path: remnux/perl-packages/crypt-blowfish.sls +- id: crypt-rc4 + package_names: + - cpan + install_method: perl + salt_state_path: remnux/perl-packages/crypt-rc4.sls +- id: csce + package_names: + - remnux-python3-package-csce + - libcsce + - '{{' + install_method: pip + salt_state_path: remnux/python3-packages/csce.sls +- id: curl + package_names: + - remnux-packages-curl + - curl + install_method: apt + salt_state_path: remnux/packages/curl.sls +- id: cutter + package_names: + - cutter + install_method: manual + salt_state_path: remnux/tools/cutter.sls +- id: cyberchef + package_names: + - cyberchef + install_method: manual + salt_state_path: remnux/tools/cyberchef.sls +- id: dc3-mwcp + package_names: + - remnux-python3-packages-dc3-mwcp + - mwcp + install_method: pip + salt_state_path: remnux/python3-packages/dc3-mwcp.sls +- id: debloat + package_names: + - remnux-python3-packages-debloat + - debloat + - '{{' + install_method: pip + salt_state_path: remnux/python3-packages/debloat.sls +- id: default-jdk + package_names: + - default-jdk + install_method: apt + salt_state_path: remnux/packages/default-jdk.sls +- id: default-jre + package_names: + - default-jre + install_method: apt + salt_state_path: remnux/packages/default-jre.sls +- id: detect-it-easy + package_names: + - remnux-tools-detect-it-easy-install + - die + - diec + install_method: manual + salt_state_path: remnux/tools/detect-it-easy.sls +- id: dex2jar + package_names: + - dex2jar + install_method: apt + salt_state_path: remnux/packages/dex2jar.sls +- id: dexray + package_names: + - dexray + install_method: script + salt_state_path: remnux/scripts/dexray.sls +- id: dialog + package_names: + - dialog + install_method: apt + salt_state_path: remnux/packages/dialog.sls +- id: didier-stevens-scripts + package_names: + - '{{' + install_method: script + salt_state_path: remnux/scripts/didier-stevens-scripts.sls +- id: digest-crc + package_names: + - cpan + install_method: perl + salt_state_path: remnux/perl-packages/digest-crc.sls +- id: display + package_names: + - set-scaling + install_method: unknown + salt_state_path: remnux/config/display.sls +- id: dissect + package_names: + - remnux-python3-packages-dissect-fusepy-prereq + - remnux-python3-packages-dissect-install + - setuptools==68.2.0 + - '{{' + install_method: pip + salt_state_path: remnux/python3-packages/dissect.sls +- id: distro-info + package_names: + - distro-info + install_method: pip + salt_state_path: remnux/python3-packages/distro-info.sls +- id: dllcharacteristics + package_names: + - dllcharacteristics.py + install_method: script + salt_state_path: remnux/scripts/dllcharacteristics.sls +- id: dnfile + package_names: + - remnux-python3-packages-dnfile + - dnfile + install_method: pip + salt_state_path: remnux/python3-packages/dnfile.sls +- id: dnslib + package_names: + - remnux-python3-packages-dnslib + - dnslib + install_method: pip + salt_state_path: remnux/python3-packages/dnslib.sls +- id: docker + package_names: + - docker-docker-ce + - docker-engine + - docker-ce + install_method: apt + salt_state_path: remnux/packages/docker.sls +- id: docker-compose + package_names: + - docker-compose + install_method: manual + salt_state_path: remnux/tools/docker-compose.sls +- id: dog + package_names: + - dog + install_method: unknown + salt_state_path: remnux/theme/dog.sls +- id: dos2unix + package_names: + - dos2unix + install_method: apt + salt_state_path: remnux/packages/dos2unix.sls +- id: dot-cache + package_names: + - dot-cache + install_method: unknown + salt_state_path: remnux/config/dot-cache.sls +- id: dot-config + package_names: + - dot-config + install_method: unknown + salt_state_path: remnux/config/dot-config.sls +- id: dot-cpan + package_names: + - dot-cpan + install_method: unknown + salt_state_path: remnux/config/dot-cpan.sls +- id: dot-dbus + package_names: + - dot-dbus + install_method: unknown + salt_state_path: remnux/config/dot-dbus.sls +- id: dot-local + package_names: + - dot-local + install_method: unknown + salt_state_path: remnux/config/dot-local.sls +- id: dotnet-runtime-3-1 + package_names: + - dotnet3 + install_method: apt + salt_state_path: remnux/packages/dotnet-runtime-3-1.sls +- id: dotnetfile + package_names: + - dotnetfile_dump.py + install_method: pip + salt_state_path: remnux/python3-packages/dotnetfile.sls +- id: droidlysis + package_names: + - remnux-python3-packages-droidlysis + - droidlysis + install_method: pip + salt_state_path: remnux/python3-packages/droidlysis.sls +- id: edb-debugger + package_names: + - edb-debugger + install_method: apt + salt_state_path: remnux/packages/edb-debugger.sls +- id: enchant + package_names: + - remnux-packages-enchant + - enchant-2 + install_method: apt + salt_state_path: remnux/packages/enchant.sls +- id: epic5 + package_names: + - epic5 + install_method: apt + salt_state_path: remnux/packages/epic5.sls +- id: evilclippy + package_names: + - remnux-packages-evilclippy + - evilclippy + install_method: apt + salt_state_path: remnux/packages/evilclippy.sls +- id: evince + package_names: + - evince + install_method: apt + salt_state_path: remnux/packages/evince.sls +- id: ex-pe-xor + package_names: + - ex-pe-xor.py + install_method: script + salt_state_path: remnux/scripts/ex-pe-xor.sls +- id: exfat-utils + package_names: + - remnux-packages-exfat-utils + - exfatprogs + install_method: apt + salt_state_path: remnux/packages/exfat-utils.sls +- id: exiftool + package_names: + - perl + - make + install_method: perl + salt_state_path: remnux/perl-packages/exiftool.sls +- id: fakedns + package_names: + - fakedns.py + install_method: manual + salt_state_path: remnux/tools/fakedns.sls +- id: fakemail + package_names: + - remnux-python3-packages-fakemail + - fakemail + install_method: pip + salt_state_path: remnux/python3-packages/fakemail.sls +- id: fakenet-ng + package_names: + - remnux-python3-package-fakenet-ng + - git+https://github.com/mandiant/flare-fakenet-ng.git@{{ + - '{{' + install_method: pip + salt_state_path: remnux/python3-packages/fakenet-ng.sls +- id: feh + package_names: + - feh + install_method: apt + salt_state_path: remnux/packages/feh.sls +- id: file + package_names: + - file + install_method: apt + salt_state_path: remnux/packages/file.sls +- id: firefox + package_names: + - firefox + install_method: apt + salt_state_path: remnux/packages/firefox.sls +- id: flare-floss + package_names: + - remnux-packages-flare-floss + - flare-floss + install_method: apt + salt_state_path: remnux/packages/flare-floss.sls +- id: flex + package_names: + - flex + install_method: apt + salt_state_path: remnux/packages/flex.sls +- id: frida + package_names: + - remnux-python3-packages-frida + - frida-tools + - '{{' + install_method: pip + salt_state_path: remnux/python3-packages/frida.sls +- id: galculator + package_names: + - galculator + install_method: apt + salt_state_path: remnux/packages/galculator.sls +- id: gdb + package_names: + - gdb + install_method: apt + salt_state_path: remnux/packages/gdb.sls +- id: gdm3 + package_names: + - gdm3 + install_method: unknown + salt_state_path: remnux/theme/core/gdm3.sls +- id: ghidra + package_names: + - remnux-packages-ghidra + - ghidra + install_method: apt + salt_state_path: remnux/packages/ghidra.sls +- id: ghidrassist-mcp + package_names: + - ghidrassist-mcp + install_method: manual + salt_state_path: remnux/tools/ghidrassist-mcp.sls +- id: gift + package_names: + - gift + install_method: unknown + salt_state_path: remnux/repos/gift.sls +- id: git + package_names: + - git + install_method: apt + salt_state_path: remnux/packages/git.sls +- id: gnome-session + package_names: + - gnome-session + install_method: unknown + salt_state_path: remnux/theme/core/gnome-session.sls +- id: gnome-shell-extensions + package_names: + - gnome-shell-extensions + install_method: unknown + salt_state_path: remnux/theme/core/gnome-shell-extensions.sls +- id: gnome-terminal + package_names: + - gnome-terminal + install_method: unknown + salt_state_path: remnux/theme/core/gnome-terminal.sls +- id: gnome-tweaks + package_names: + - gnome-tweaks + install_method: unknown + salt_state_path: remnux/theme/core/gnome-tweaks.sls +- id: gnutls-bin + package_names: + - gnutls-bin + install_method: apt + salt_state_path: remnux/packages/gnutls-bin.sls +- id: goresym + package_names: + - GoReSym + install_method: manual + salt_state_path: remnux/tools/goresym.sls +- id: graphviz + package_names: + - graphviz + install_method: apt + salt_state_path: remnux/packages/graphviz.sls +- id: grub-kvm + package_names: + - update-grub + install_method: unknown + salt_state_path: remnux/config/grub-kvm.sls +- id: guest-tools + package_names: + - open-vm-tools-desktop + - qemu-guest-agent + - spice-vdagent + install_method: manual + salt_state_path: remnux/theme/core/guest-tools.sls +- id: hachoir + package_names: + - remnux-python3-packages-hachoir + - hachoir + - '{{' + install_method: pip + salt_state_path: remnux/python3-packages/hachoir.sls +- id: i386-architecture + package_names: + - libc6 + - i386 + - dpkg + - libstdc++6 + - libncurses6:i386 + - zlib1g:i386 + install_method: apt + salt_state_path: remnux/packages/i386-architecture.sls +- id: ibus + package_names: + - ibus + install_method: apt + salt_state_path: remnux/packages/ibus.sls +- id: ilspy + package_names: + - ilspycmd + install_method: apt + salt_state_path: remnux/packages/ilspy.sls +- id: imagemagick + package_names: + - imagemagick + install_method: apt + salt_state_path: remnux/packages/imagemagick.sls +- id: inetsim + package_names: + - remnux-packages-inetsim + - inetsim + install_method: apt + salt_state_path: remnux/packages/inetsim.sls +- id: inspircd + package_names: + - remnux-packages-inspircd-install + - inspircd + install_method: apt + salt_state_path: remnux/packages/inspircd.sls +- id: ioc-parser + package_names: + - remnux-python3-packages-ioc-parser + - git+https://github.com/buffer/ioc_parser.git + - iocp + install_method: pip + salt_state_path: remnux/python3-packages/ioc-parser.sls +- id: iproute2 + package_names: + - iproute2 + install_method: apt + salt_state_path: remnux/packages/iproute2.sls +- id: iptables + package_names: + - iptables + install_method: apt + salt_state_path: remnux/packages/iptables.sls +- id: iputils-ping + package_names: + - iputils-ping + install_method: apt + salt_state_path: remnux/packages/iputils-ping.sls +- id: ipwhois + package_names: + - remnux-python3-packages-ipwhois + - ipwhois + - '{{' + install_method: pip + salt_state_path: remnux/python3-packages/ipwhois.sls +- id: ipython3 + package_names: + - remnux-packages-ipython3 + - ipython3 + install_method: apt + salt_state_path: remnux/packages/ipython3.sls +- id: jadx + package_names: + - jadx + - jadx-gui + install_method: manual + salt_state_path: remnux/tools/jadx.sls +- id: java-idx-parser + package_names: + - idx_parser.py + install_method: script + salt_state_path: remnux/scripts/java-idx-parser.sls +- id: jd-gui + package_names: + - jd-gui + install_method: manual + salt_state_path: remnux/tools/jd-gui.sls +- id: jq + package_names: + - jq + install_method: apt + salt_state_path: remnux/packages/jq.sls +- id: js-patched + package_names: + - js-file + - js-patched + - js-ascii + install_method: manual + salt_state_path: remnux/tools/js-patched.sls +- id: jsbeautifier + package_names: + - remnux-python3-packages-jsbeautifier + - jsbeautifier + - js-beautify + - editorconfig + install_method: pip + salt_state_path: remnux/python3-packages/jsbeautifier.sls +- id: jstillery + package_names: + - remnux-node-packages-jstillery + - git+https://github.com/mindedsecurity/JStillery.git + install_method: npm + salt_state_path: remnux/node-packages/jstillery.sls +- id: lame + package_names: + - lame + install_method: apt + salt_state_path: remnux/packages/lame.sls +- id: libboost-dev + package_names: + - libboost-dev + install_method: apt + salt_state_path: remnux/packages/libboost-dev.sls +- id: libboost-python-dev + package_names: + - libboost-python-dev + install_method: apt + salt_state_path: remnux/packages/libboost-python-dev.sls +- id: libboost-system-dev + package_names: + - libboost-system-dev + install_method: apt + salt_state_path: remnux/packages/libboost-system-dev.sls +- id: libdpkg-perl + package_names: + - libdpkg-perl + install_method: apt + salt_state_path: remnux/packages/libdpkg-perl.sls +- id: libemail-outlook-message-perl + package_names: + - libemail-outlook-message-perl + install_method: apt + salt_state_path: remnux/packages/libemail-outlook-message-perl.sls +- id: libemu + package_names: + - libemu + - libemu-dev + - ldconfig + install_method: apt + salt_state_path: remnux/packages/libemu.sls +- id: libffi-dev + package_names: + - libffi-dev + install_method: apt + salt_state_path: remnux/packages/libffi-dev.sls +- id: libfuse2 + package_names: + - remnux-packages-libfuse2 + - libfuse2t64 + install_method: apt + salt_state_path: remnux/packages/libfuse2.sls +- id: libfuzzy-dev + package_names: + - libfuzzy-dev + install_method: apt + salt_state_path: remnux/packages/libfuzzy-dev.sls +- id: libfuzzy2 + package_names: + - libfuzzy2 + install_method: apt + salt_state_path: remnux/packages/libfuzzy2.sls +- id: libglib2 + package_names: + - remnux-packages-libglib2 + - libglib2.0-0t64 + install_method: apt + salt_state_path: remnux/packages/libglib2.sls +- id: libglu1-mesa-dev + package_names: + - libglu1-mesa-dev + install_method: apt + salt_state_path: remnux/packages/libglu1-mesa-dev.sls +- id: libgraphviz-dev + package_names: + - libgraphviz-dev + install_method: apt + salt_state_path: remnux/packages/libgraphviz-dev.sls +- id: libgtk-3-0 + package_names: + - remnux-packages-libgtk-3-0 + - libgtk-3-0t64 + install_method: apt + salt_state_path: remnux/packages/libgtk-3-0.sls +- id: libjavassist-java + package_names: + - libjavassist-java + install_method: apt + salt_state_path: remnux/packages/libjavassist-java.sls +- id: libjpeg-dev + package_names: + - libjpeg-dev + install_method: apt + salt_state_path: remnux/packages/libjpeg-dev.sls +- id: libjpeg8-dev + package_names: + - libjpeg8-dev + install_method: apt + salt_state_path: remnux/packages/libjpeg8-dev.sls +- id: liblzma-dev + package_names: + - liblzma-dev + install_method: apt + salt_state_path: remnux/packages/liblzma-dev.sls +- id: liblzo2-dev + package_names: + - liblzo2-dev + install_method: apt + salt_state_path: remnux/packages/liblzo2-dev.sls +- id: libmagic-dev + package_names: + - libmagic-dev + install_method: apt + salt_state_path: remnux/packages/libmagic-dev.sls +- id: libmysqlclient21 + package_names: + - libmysqlclient21 + install_method: apt + salt_state_path: remnux/packages/libmysqlclient21.sls +- id: libncurses + package_names: + - libncurses + - libncurses-dev + install_method: apt + salt_state_path: remnux/packages/libncurses.sls +- id: libnetfilter-queue-dev + package_names: + - libnetfilter-queue-dev + install_method: apt + salt_state_path: remnux/packages/libnetfilter-queue-dev.sls +- id: libnfnetlink-dev + package_names: + - libnfnetlink-dev + install_method: apt + salt_state_path: remnux/packages/libnfnetlink-dev.sls +- id: libolecf + package_names: + - libolecf + install_method: apt + salt_state_path: remnux/packages/libolecf.sls +- id: libpq5 + package_names: + - libpq5 + install_method: apt + salt_state_path: remnux/packages/libpq5.sls +- id: libqt5scripttools5 + package_names: + - remnux-package-libqt5scripttools5 + - libqt5scripttools5 + install_method: apt + salt_state_path: remnux/packages/libqt5scripttools5.sls +- id: libre2 + package_names: + - remnux-packages-libre2 + - libre2-10 + install_method: apt + salt_state_path: remnux/packages/libre2.sls +- id: libsm6 + package_names: + - remnux-packages-libsm6 + - libsm6 + install_method: apt + salt_state_path: remnux/packages/libsm6.sls +- id: libsqlite3-dev + package_names: + - libsqlite3-dev + install_method: apt + salt_state_path: remnux/packages/libsqlite3-dev.sls +- id: libssl-dev + package_names: + - libssl-dev + install_method: apt + salt_state_path: remnux/packages/libssl-dev.sls +- id: libtool + package_names: + - libtool + install_method: apt + salt_state_path: remnux/packages/libtool.sls +- id: libtre5 + package_names: + - libtre5 + install_method: apt + salt_state_path: remnux/packages/libtre5.sls +- id: libusb-1 + package_names: + - libusb-1.0-0 + install_method: apt + salt_state_path: remnux/packages/libusb-1.sls +- id: libxml2-dev + package_names: + - libxml2-dev + install_method: apt + salt_state_path: remnux/packages/libxml2-dev.sls +- id: libxslt1-dev + package_names: + - libxslt1-dev + install_method: apt + salt_state_path: remnux/packages/libxslt1-dev.sls +- id: lief + package_names: + - remnux-python3-packages-lief + - lief + install_method: pip + salt_state_path: remnux/python3-packages/lief.sls +- id: linux-headers + package_names: + - linux-headers-generic + - remnux-packages-linux-headers + - linux-headers-{{ + install_method: apt + salt_state_path: remnux/packages/linux-headers.sls +- id: ltrace + package_names: + - ltrace + install_method: apt + salt_state_path: remnux/packages/ltrace.sls +- id: magika + package_names: + - remnux-python3-packages-magika-install + - magika + install_method: pip + salt_state_path: remnux/python3-packages/magika.sls +- id: mail-parser + package_names: + - remnux-python3-packages-mail-parser + - mail-parser + install_method: pip + salt_state_path: remnux/python3-packages/mail-parser.sls +- id: malcat + package_names: + - remnux-tools-malcat-pip-deps + - malcat + install_method: manual + salt_state_path: remnux/tools/malcat.sls +- id: malchive + package_names: + - remnux-python3-packages-malchive + - git+https://github.com/MITRECND/malchive.git@ec0f355ceaef0e1311ad3e079d9512f95a341c32 + - '{{' + install_method: pip + salt_state_path: remnux/python3-packages/malchive.sls +- id: malwoverview + package_names: + - remnux-python3-packages-malwoverview-install + - malwoverview + install_method: pip + salt_state_path: remnux/python3-packages/malwoverview.sls +- id: manalyze + package_names: + - manalyze + install_method: apt + salt_state_path: remnux/packages/manalyze.sls +- id: mercurial + package_names: + - mercurial + install_method: apt + salt_state_path: remnux/packages/mercurial.sls +- id: microsoft + package_names: + - deb + install_method: unknown + salt_state_path: remnux/repos/microsoft.sls +- id: microsoft-vscode + package_names: + - microsoft-vscode + install_method: unknown + salt_state_path: remnux/repos/microsoft-vscode.sls +- id: mitmproxy + package_names: + - remnux-python3-packages-mitmproxy + - mitmproxy + - '{{' + install_method: pip + salt_state_path: remnux/python3-packages/mitmproxy.sls +- id: mono + package_names: + - mono + install_method: unknown + salt_state_path: remnux/repos/mono.sls +- id: mono-devel + package_names: + - mono-devel + install_method: apt + salt_state_path: remnux/packages/mono-devel.sls +- id: mono-utils + package_names: + - mono-utils + install_method: apt + salt_state_path: remnux/packages/mono-utils.sls +- id: msg-extractor + package_names: + - remnux-python3-packages-extract-msg + - extract_msg + install_method: pip + salt_state_path: remnux/python3-packages/msg-extractor.sls +- id: msitools + package_names: + - msitools + install_method: apt + salt_state_path: remnux/packages/msitools.sls +- id: msoffcrypto-tool + package_names: + - remnux-python3-packages-msoffcrypto-tool + - msoffcrypto-tool + install_method: pip + salt_state_path: remnux/python3-packages/msoffcrypto-tool.sls +- id: msoffice-crypt + package_names: + - msoffice-crypt + install_method: apt + salt_state_path: remnux/packages/msoffice-crypt.sls +- id: myip + package_names: + - myip + install_method: script + salt_state_path: remnux/scripts/myip.sls +- id: mynic + package_names: + - mynic + install_method: script + salt_state_path: remnux/scripts/mynic.sls +- id: name-that-hash + package_names: + - remnux-python3-packages-name-that-hash-install + - name-that-hash + - nth + install_method: pip + salt_state_path: remnux/python3-packages/name-that-hash.sls +- id: nano + package_names: + - nano + install_method: apt + salt_state_path: remnux/packages/nano.sls +- id: nasm + package_names: + - nasm + install_method: apt + salt_state_path: remnux/packages/nasm.sls +- id: nautilus + package_names: + - nautilus + install_method: apt + salt_state_path: remnux/packages/nautilus.sls +- id: ndg-httpsclient + package_names: + - remnux-python3-packages-ndg-httpsclient + - ndg-httpsclient + - ndg_httpclient + install_method: pip + salt_state_path: remnux/python3-packages/ndg-httpsclient.sls +- id: net-ssleay + package_names: + - cpan + install_method: perl + salt_state_path: remnux/perl-packages/net-ssleay.sls +- id: net-tools + package_names: + - net-tools + install_method: apt + salt_state_path: remnux/packages/net-tools.sls +- id: netcat + package_names: + - netcat-traditional + install_method: apt + salt_state_path: remnux/packages/netcat.sls +- id: networkminer + package_names: + - networkminer + install_method: manual + salt_state_path: remnux/tools/networkminer.sls +- id: nginx + package_names: + - nginx + install_method: unknown + salt_state_path: remnux/config/nginx.sls +- id: ngrep + package_names: + - ngrep + install_method: apt + salt_state_path: remnux/packages/ngrep.sls +- id: nodejs + package_names: + - remnux-packages-nodejs + - nodejs + install_method: npm + salt_state_path: remnux/packages/nodejs.sls +- id: nomorexor + package_names: + - nomorexor.py + install_method: script + salt_state_path: remnux/scripts/nomorexor.sls +- id: ole-storagelite + package_names: + - cpan + install_method: perl + salt_state_path: remnux/perl-packages/ole-storagelite.sls +- id: olefile + package_names: + - remnux-python3-packages-olefile-package + - python3-olefile + install_method: pip + salt_state_path: remnux/python3-packages/olefile.sls +- id: oletools + package_names: + - remnux-python3-packages-oletools + - oletools + - '{{' + install_method: pip + salt_state_path: remnux/python3-packages/oletools.sls +- id: opencode + package_names: + - opencode + install_method: unknown + salt_state_path: remnux/config/opencode.sls +- id: openjdk + package_names: + - openjdk + install_method: unknown + salt_state_path: remnux/repos/openjdk.sls +- id: openssh + package_names: + - openssh-client + - openssh-server + install_method: apt + salt_state_path: remnux/packages/openssh.sls +- id: openssl + package_names: + - openssl + install_method: apt + salt_state_path: remnux/packages/openssl.sls +- id: origamindee + package_names: + - origamindee + - origami + - therubyracer + install_method: gem + salt_state_path: remnux/rubygems/origamindee.sls +- id: osarch + package_names: + - osarch + install_method: unknown + salt_state_path: remnux/osarch.sls +- id: pcode2code + package_names: + - remnux-python3-packages-pcode2code + - pcode2code + install_method: pip + salt_state_path: remnux/python3-packages/pcode2code.sls +- id: pcodedmp + package_names: + - remnux-python3-packages-pcodedmp + - pcodedmp + install_method: pip + salt_state_path: remnux/python3-packages/pcodedmp.sls +- id: pdfresurrect + package_names: + - pdfresurrect + install_method: apt + salt_state_path: remnux/packages/pdfresurrect.sls +- id: pdftk-java + package_names: + - pdftk-java + install_method: apt + salt_state_path: remnux/packages/pdftk-java.sls +- id: pdnstool + package_names: + - sqlite3-gem + - passivedns-client + - sqlite3 + install_method: gem + salt_state_path: remnux/rubygems/pdnstool.sls +- id: pe-tree + package_names: + - remnux-python3-packages-pe-tree + - pe_tree + - pe-tree + install_method: pip + salt_state_path: remnux/python3-packages/pe-tree.sls +- id: pedump + package_names: + - pedump + install_method: gem + salt_state_path: remnux/rubygems/pedump.sls +- id: peepdf-3 + package_names: + - remnux-python3-packages-peepdf-3 + - peepdf-3 + - peepdf + install_method: pip + salt_state_path: remnux/python3-packages/peepdf-3.sls +- id: peframe + package_names: + - remnux-python3-packages-peframe + - peframe-ds + - peframe + install_method: pip + salt_state_path: remnux/python3-packages/peframe.sls +- id: perl + package_names: + - perl + install_method: apt + salt_state_path: remnux/packages/perl.sls +- id: pev + package_names: + - remnux-packages-pev + - readpe + - pev + install_method: apt + salt_state_path: remnux/packages/pev.sls +- id: pgadmin + package_names: + - remnux-packages-pgadmin4 + - pgadmin4-desktop + install_method: apt + salt_state_path: remnux/packages/pgadmin.sls +- id: pgadmin4 + package_names: + - deb + install_method: unknown + salt_state_path: remnux/repos/pgadmin4.sls +- id: pip + package_names: + - pip + install_method: pip + salt_state_path: remnux/python3-packages/pip.sls +- id: pkg-config + package_names: + - pkg-config + install_method: apt + salt_state_path: remnux/packages/pkg-config.sls +- id: polarproxy + package_names: + - polarproxy + install_method: manual + salt_state_path: remnux/tools/polarproxy.sls +- id: portex + package_names: + - portex + install_method: apt + salt_state_path: remnux/packages/portex.sls +- id: powershell + package_names: + - powershell + install_method: apt + salt_state_path: remnux/packages/powershell.sls +- id: prefer-ipv4 + package_names: + - prefer-ipv4 + install_method: unknown + salt_state_path: remnux/network/prefer-ipv4.sls +- id: procyon-decompiler + package_names: + - procyon-decompiler + install_method: apt + salt_state_path: remnux/packages/procyon-decompiler.sls +- id: protobuf + package_names: + - remnux-python3-packages-protobuf-install + - protobuf + install_method: pip + salt_state_path: remnux/python3-packages/protobuf.sls +- id: pycdc + package_names: + - pycdc + install_method: apt + salt_state_path: remnux/packages/pycdc.sls +- id: pyelftools + package_names: + - remnux-python3-packages-pyelftools + - pyelftools + - readelf.py + install_method: pip + salt_state_path: remnux/python3-packages/pyelftools.sls +- id: pyinstaller-extractor + package_names: + - pyinstxtractor.py + install_method: script + salt_state_path: remnux/scripts/pyinstaller-extractor.sls +- id: pyinstxtractor-ng + package_names: + - remnux-python3-packages-pyinstxtractor-ng + - pyinstxtractor-ng + install_method: pip + salt_state_path: remnux/python3-packages/pyinstxtractor-ng.sls +- id: python-debian + package_names: + - python-debian + install_method: pip + salt_state_path: remnux/python3-packages/python-debian.sls +- id: python3 + package_names: + - python3 + install_method: apt + salt_state_path: remnux/packages/python3.sls +- id: python3-cryptography + package_names: + - remnux-packages-python3-cryptography + - python3-cryptography + install_method: apt + salt_state_path: remnux/packages/python3-cryptography.sls +- id: python3-dev + package_names: + - python3-dev + install_method: apt + salt_state_path: remnux/packages/python3-dev.sls +- id: python3-dnspython + package_names: + - python3-dnspython + install_method: apt + salt_state_path: remnux/packages/python3-dnspython.sls +- id: python3-magic + package_names: + - python3-magic + install_method: apt + salt_state_path: remnux/packages/python3-magic.sls +- id: python3-netifaces + package_names: + - python3-netifaces + install_method: apt + salt_state_path: remnux/packages/python3-netifaces.sls +- id: python3-numpy + package_names: + - python3-numpy + install_method: apt + salt_state_path: remnux/packages/python3-numpy.sls +- id: python3-pil + package_names: + - python3-pil + install_method: apt + salt_state_path: remnux/packages/python3-pil.sls +- id: python3-pip + package_names: + - python3-pip + install_method: pip + salt_state_path: remnux/packages/python3-pip.sls +- id: python3-pyasn1 + package_names: + - python3-pyasn1 + install_method: apt + salt_state_path: remnux/packages/python3-pyasn1.sls +- id: python3-pyqt5 + package_names: + - python3-pyqt5 + install_method: apt + salt_state_path: remnux/packages/python3-pyqt5.sls +- id: python3-requests + package_names: + - remnux-packages-python3-requests + - python3-requests + install_method: apt + salt_state_path: remnux/packages/python3-requests.sls +- id: python3-setuptools + package_names: + - remnux-packages-python3-setuptools + - python3-setuptools + install_method: apt + salt_state_path: remnux/packages/python3-setuptools.sls +- id: python3-ssdeep + package_names: + - python3-ssdeep + install_method: apt + salt_state_path: remnux/packages/python3-ssdeep.sls +- id: python3-tk + package_names: + - python3-tk + install_method: apt + salt_state_path: remnux/packages/python3-tk.sls +- id: python3-venv + package_names: + - python3-venv + install_method: apt + salt_state_path: remnux/packages/python3-venv.sls +- id: python3-virtualenv + package_names: + - python3-virtualenv + install_method: apt + salt_state_path: remnux/packages/python3-virtualenv.sls +- id: python3-wheel + package_names: + - remnux-packages-python3-wheel + - python3-wheel + install_method: apt + salt_state_path: remnux/packages/python3-wheel.sls +- id: qiling + package_names: + - remnux-python3-packages-qiling + - qiling + - qltool + install_method: pip + salt_state_path: remnux/python3-packages/qiling.sls +- id: qpdf + package_names: + - qpdf + install_method: apt + salt_state_path: remnux/packages/qpdf.sls +- id: qtbase5-dev + package_names: + - qtbase5-dev + install_method: apt + salt_state_path: remnux/packages/qtbase5-dev.sls +- id: r2pipe + package_names: + - remnux-python3-packages-r2pipe + - r2pipe + install_method: pip + salt_state_path: remnux/python3-packages/r2pipe.sls +- id: radare2 + package_names: + - remnux-radare2 + - libradare2-common + - r2pm + - dpkg + install_method: apt + salt_state_path: remnux/packages/radare2.sls +- id: rar + package_names: + - remnux-packages-rar + - rar + install_method: apt + salt_state_path: remnux/packages/rar.sls +- id: redress + package_names: + - redress + install_method: manual + salt_state_path: remnux/tools/redress.sls +- id: refresh + package_names: + - pkg.refresh_db + install_method: unknown + salt_state_path: remnux/repos/refresh.sls +- id: remnux + package_names: + - remnux + install_method: unknown + salt_state_path: remnux/repos/remnux.sls +- id: remnux-installer + package_names: + - remnux + - remnux-cli-legacy + - remnux-diag + install_method: manual + salt_state_path: remnux/tools/remnux-installer.sls +- id: remnux-mcp-server + package_names: + - remnux-node-packages-remnux-mcp-server + - '@remnux/mcp-server' + install_method: npm + salt_state_path: remnux/node-packages/remnux-mcp-server.sls +- id: remove-app-icons + package_names: + - remove-app-icons + install_method: unknown + salt_state_path: remnux/theme/gnome-config/remove-app-icons.sls +- id: rhino + package_names: + - rhino + install_method: apt + salt_state_path: remnux/packages/rhino.sls +- id: rsakeyfind + package_names: + - rsakeyfind + install_method: apt + salt_state_path: remnux/packages/rsakeyfind.sls +- id: ruby + package_names: + - ruby + install_method: apt + salt_state_path: remnux/packages/ruby.sls +- id: ruby-dev + package_names: + - ruby-dev + install_method: apt + salt_state_path: remnux/packages/ruby-dev.sls +- id: runsc + package_names: + - remnux-packages-runsc + - runsc + install_method: apt + salt_state_path: remnux/packages/runsc.sls +- id: salt-minion + package_names: + - salt-minion + install_method: unknown + salt_state_path: remnux/config/salt-minion.sls +- id: sandfly-processdecloak + package_names: + - sandfly-processdecloak + install_method: apt + salt_state_path: remnux/packages/sandfly-processdecloak.sls +- id: scalpel + package_names: + - scalpel + install_method: apt + salt_state_path: remnux/packages/scalpel.sls +- id: scdbg + package_names: + - remnux-packages-scdbg + - scdbg + install_method: apt + salt_state_path: remnux/packages/scdbg.sls +- id: scite + package_names: + - scite + install_method: apt + salt_state_path: remnux/packages/scite.sls +- id: sharutils + package_names: + - sharutils + install_method: apt + salt_state_path: remnux/packages/sharutils.sls +- id: shcode2exe + package_names: + - shcode2exe.py + install_method: script + salt_state_path: remnux/scripts/shcode2exe.sls +- id: shellcode2exe-bat + package_names: + - https://github.com/repnz/shellcode2exe.git + - shellcode2exe.bat + install_method: manual + salt_state_path: remnux/tools/shellcode2exe-bat.sls +- id: sift + package_names: + - sift + install_method: unknown + salt_state_path: remnux/repos/sift.sls +- id: signsrch + package_names: + - signsrch + install_method: apt + salt_state_path: remnux/packages/signsrch.sls +- id: sleuthkit + package_names: + - remnux-packages-sleuthkit + - sleuthkit + install_method: apt + salt_state_path: remnux/packages/sleuthkit.sls +- id: snap + package_names: + - remnux-package-snap + - snap + install_method: apt + salt_state_path: remnux/packages/snap.sls +- id: snapd + package_names: + - remnux-package-snapd + - snapd + install_method: apt + salt_state_path: remnux/packages/snapd.sls +- id: software-properties-common + package_names: + - software-properties-common + install_method: apt + salt_state_path: remnux/packages/software-properties-common.sls +- id: speakeasy + package_names: + - remnux-python3-packages-speakeasy + - speakeasy-emulator + - '{{' + install_method: pip + salt_state_path: remnux/python3-packages/speakeasy.sls +- id: spidermonkey + package_names: + - libmozjs-115-dev + - js + install_method: apt + salt_state_path: remnux/packages/spidermonkey.sls +- id: sqlite + package_names: + - remnux-packages-sqlite + - sqlite3 + install_method: apt + salt_state_path: remnux/packages/sqlite.sls +- id: ssdeep + package_names: + - ssdeep + install_method: apt + salt_state_path: remnux/packages/ssdeep.sls +- id: ssh + package_names: + - ssh + install_method: unknown + salt_state_path: remnux/theme/ssh.sls +- id: ssview + package_names: + - ssview + install_method: manual + salt_state_path: remnux/tools/ssview.sls +- id: stpyv8 + package_names: + - stpyv8 + install_method: pip + salt_state_path: remnux/python3-packages/stpyv8.sls +- id: strace + package_names: + - strace + install_method: apt + salt_state_path: remnux/packages/strace.sls +- id: strdeob + package_names: + - strdeob.pl + install_method: script + salt_state_path: remnux/scripts/strdeob.sls +- id: subversion + package_names: + - subversion + install_method: apt + salt_state_path: remnux/packages/subversion.sls +- id: sudo + package_names: + - sudo + install_method: apt + salt_state_path: remnux/packages/sudo.sls +- id: sudoers + package_names: + - sudoers + install_method: unknown + salt_state_path: remnux/theme/sudoers.sls +- id: tcpdump + package_names: + - tcpdump + install_method: apt + salt_state_path: remnux/packages/tcpdump.sls +- id: tcpflow + package_names: + - tcpflow + install_method: apt + salt_state_path: remnux/packages/tcpflow.sls +- id: tcpick + package_names: + - tcpick + install_method: apt + salt_state_path: remnux/packages/tcpick.sls +- id: tcpxtract + package_names: + - tcpxtract + install_method: apt + salt_state_path: remnux/packages/tcpxtract.sls +- id: tesseract-ocr + package_names: + - tesseract-ocr + install_method: apt + salt_state_path: remnux/packages/tesseract-ocr.sls +- id: thefuzz + package_names: + - remnux-python3-packages-thefuzz + - thefuzz + install_method: pip + salt_state_path: remnux/python3-packages/thefuzz.sls +- id: thug + package_names: + - thug + install_method: unknown + salt_state_path: remnux/config/thug.sls +- id: time-decode + package_names: + - remnux-python3-packages-time-decode + - time-decode + install_method: pip + salt_state_path: remnux/python3-packages/time-decode.sls +- id: tor + package_names: + - tor + install_method: apt + salt_state_path: remnux/packages/tor.sls +- id: trid + package_names: + - trid + - tridupdate + install_method: manual + salt_state_path: remnux/tools/trid.sls +- id: tshark + package_names: + - tshark + install_method: apt + salt_state_path: remnux/packages/tshark.sls +- id: tzdata + package_names: + - tzdata + install_method: apt + salt_state_path: remnux/packages/tzdata.sls +- id: ubuntu + package_names: + - ubuntu + install_method: unknown + salt_state_path: remnux/repos/ubuntu.sls +- id: ubuntu-universe + package_names: + - ubuntu-universe + install_method: unknown + salt_state_path: remnux/repos/ubuntu-universe.sls +- id: uncompyle6 + package_names: + - remnux-python3-packages-uncompyle6 + - uncompyle6 + install_method: pip + salt_state_path: remnux/python3-packages/uncompyle6.sls +- id: unfurl + package_names: + - remnux-python3-packages-unfurl + - dfir-unfurl + - '{{' + install_method: pip + salt_state_path: remnux/python3-packages/unfurl.sls +- id: unhide + package_names: + - unhide + install_method: apt + salt_state_path: remnux/packages/unhide.sls +- id: unicode + package_names: + - remnux-python3-packages-unicode + - unicode + - '{{' + install_method: pip + salt_state_path: remnux/python3-packages/unicode.sls +- id: unrar + package_names: + - remnux-packages-unrar + - unrar-free + install_method: apt + salt_state_path: remnux/packages/unrar.sls +- id: unxor + package_names: + - unxor.py + install_method: script + salt_state_path: remnux/scripts/unxor.sls +- id: unzip + package_names: + - unzip + install_method: apt + salt_state_path: remnux/packages/unzip.sls +- id: upx-ucl + package_names: + - upx-ucl + install_method: apt + salt_state_path: remnux/packages/upx-ucl.sls +- id: user + package_names: + - user + install_method: unknown + salt_state_path: remnux/config/user.sls +- id: vbindiff + package_names: + - vbindiff + install_method: apt + salt_state_path: remnux/packages/vbindiff.sls +- id: vim + package_names: + - vim + install_method: apt + salt_state_path: remnux/packages/vim.sls +- id: vivisect + package_names: + - remnux-python3-package-vivisect + - vivisect[gui] + - '{{' + install_method: pip + salt_state_path: remnux/python3-packages/vivisect.sls +- id: volatility3 + package_names: + - volatility3 + install_method: unknown + salt_state_path: remnux/config/volatility3.sls +- id: vscode + package_names: + - vscode + install_method: unknown + salt_state_path: remnux/config/vscode.sls + possibly_conditional: true +- id: wget + package_names: + - remnux-packages-wget + - wget + install_method: apt + salt_state_path: remnux/packages/wget.sls +- id: wine + package_names: + - remnux-packages-wine + - dpkg + - apt-get + - winehq-stable + install_method: apt + salt_state_path: remnux/packages/wine.sls +- id: winehq + package_names: + - deb + install_method: unknown + salt_state_path: remnux/repos/winehq.sls +- id: wireshark + package_names: + - wireshark + install_method: apt + salt_state_path: remnux/packages/wireshark.sls +- id: wireshark-dev + package_names: + - wireshark-dev + install_method: unknown + salt_state_path: remnux/repos/wireshark-dev.sls +- id: wxhexeditor + package_names: + - wxhexeditor + install_method: apt + salt_state_path: remnux/packages/wxhexeditor.sls +- id: xdg-utils + package_names: + - xdg-utils + install_method: apt + salt_state_path: remnux/packages/xdg-utils.sls +- id: xlmmacrodeobfuscator + package_names: + - remnux-python3-packages-xlmmacrodeobfuscator + - xlmmacrodeobfuscator + - '{{' + install_method: pip + salt_state_path: remnux/python3-packages/xlmmacrodeobfuscator.sls +- id: xmlstarlet + package_names: + - xmlstarlet + install_method: apt + salt_state_path: remnux/packages/xmlstarlet.sls +- id: xorbruteforcer + package_names: + - xorbruteforcer.py + install_method: script + salt_state_path: remnux/scripts/xorbruteforcer.sls +- id: xorsearch + package_names: + - xorsearch + install_method: apt + salt_state_path: remnux/packages/xorsearch.sls +- id: xorstrings + package_names: + - xorstrings + install_method: apt + salt_state_path: remnux/packages/xorstrings.sls +- id: xortool + package_names: + - remnux-python3-packages-xortool + - xortool + install_method: pip + salt_state_path: remnux/python3-packages/xortool.sls +- id: xterm + package_names: + - xterm + install_method: apt + salt_state_path: remnux/packages/xterm.sls +- id: yara + package_names: + - remnux-packages-yara + - yara + install_method: apt + salt_state_path: remnux/packages/yara.sls +- id: yara-forge + package_names: + - yara-forge + install_method: manual + salt_state_path: remnux/tools/yara-forge.sls +- id: yara-rules + package_names: + - https://github.com/Yara-Rules/rules.git + - yara-rules + install_method: manual + salt_state_path: remnux/tools/yara-rules.sls +- id: yara-x + package_names: + - remnux-python3-packages-yara-x + - yara-x + install_method: pip + salt_state_path: remnux/python3-packages/yara-x.sls +- id: zbar-tools + package_names: + - zbar-tools + install_method: apt + salt_state_path: remnux/packages/zbar-tools.sls +- id: zlib1g-dev + package_names: + - zlib1g-dev + install_method: apt + salt_state_path: remnux/packages/zlib1g-dev.sls diff --git a/data/remnux/tool-enrichments.yaml b/data/remnux/tool-enrichments.yaml new file mode 100644 index 0000000..99120c7 --- /dev/null +++ b/data/remnux/tool-enrichments.yaml @@ -0,0 +1,262 @@ +# Manual enrichments for tools not covered by FOR610 +# These provide usage examples and descriptions for Priority 1-2 tools +# Merged into tools-master.yaml by build-master-inventory.py + +enrichments: + + # === MEMORY FORENSICS === + volatility3: + description: "Memory forensics framework — analyze RAM dumps to find malware, hidden processes, network connections, and injected code" + typical_usage: + - "vol3 -f windows.info" + - "vol3 -f windows.pslist" + - "vol3 -f windows.pstree" + - "vol3 -f windows.netscan" + - "vol3 -f windows.malfind" + - "vol3 -f windows.dlllist --pid " + - "vol3 -f windows.dumpfiles --pid " + tags: [memory, forensics, volatility, incident-response] + + # === NETWORK === + fakenet-ng: + description: "Emulate network services (HTTP, DNS, SMTP, FTP) to intercept and analyze malware traffic dynamically" + typical_usage: + - "fakenet" + - "fakenet -c custom_config.ini" + tags: [network, emulation, dynamic-analysis, c2] + + mitmproxy: + description: "Interactive HTTPS proxy for intercepting, inspecting, and modifying encrypted web traffic" + typical_usage: + - "mitmproxy" + - "mitmdump -w capture.flow" + - "mitmproxy --mode transparent" + tags: [network, https, proxy, tls, interception] + + polarproxy: + description: "Transparent TLS proxy that decrypts traffic and saves it as PCAP for analysis in Wireshark" + typical_usage: + - "PolarProxy -p 443,80 -w captured.pcap" + tags: [network, tls, decryption, pcap] + + networkminer: + description: "Passive network traffic analyzer — extracts files, images, credentials from PCAP captures" + typical_usage: + - "NetworkMiner --pcap " + tags: [network, pcap, file-carving, passive] + + ngrep: + description: "Search network traffic for patterns — like grep for packets" + typical_usage: + - "ngrep -I 'password'" + - "ngrep -d eth0 'GET|POST' 'tcp port 80'" + tags: [network, search, pattern-matching] + + tcpflow: + description: "Extract and reassemble TCP streams from PCAP files into individual files" + typical_usage: + - "tcpflow -r -o output/" + tags: [network, tcp, stream-extraction] + + tcpxtract: + description: "Carve files from network traffic using file signatures" + typical_usage: + - "tcpxtract -f -o output/" + tags: [network, file-carving, pcap] + + # === DYNAMIC ANALYSIS === + frida: + description: "Dynamic instrumentation toolkit — hook and trace running processes, intercept function calls in real time" + typical_usage: + - "frida -l hook.js " + - "frida-trace -i 'recv*' " + - "frida-ps -U" + tags: [dynamic, instrumentation, hooking, tracing] + + qiling: + description: "Multi-platform binary emulation framework — emulate PE, ELF, shellcode across OS/arch combinations" + typical_usage: + - "python3 -c \"from qiling import Qiling; ql = Qiling([''], '/path/to/rootfs')\"" + tags: [emulation, multi-platform, binary-analysis] + + vivisect: + description: "Binary analysis and emulation framework — static analysis with emulation capabilities" + typical_usage: + - "vivbin " + - "python3 -c \"import vivisect; vw = vivisect.VivWorkspace(); vw.loadFromFile('')\"" + tags: [emulation, static-analysis, binary-analysis] + + # === ANDROID === + androguard: + description: "Analyze Android APK files — extract permissions, activities, intents, and decompile DEX code" + typical_usage: + - "androguard analyze " + - "androguard decompile -o output/ " + - "androgui.py " + tags: [android, apk, permissions, decompilation] + + apktool: + description: "Decompile and recompile Android APK files — extract resources, smali code, and manifest" + typical_usage: + - "apktool d -o output/" + - "apktool b output/ -o rebuilt.apk" + tags: [android, apk, decompilation, resources] + + jadx: + description: "Decompile Android DEX/APK to Java source code with a GUI or command line" + typical_usage: + - "jadx -d output/" + - "jadx-gui " + tags: [android, dex, java, decompilation] + + # === JAVA === + cfr: + description: "Modern Java decompiler — handles Java 8+ features including lambdas and try-with-resources" + typical_usage: + - "cfr --outputdir output/" + - "cfr " + tags: [java, decompilation, jar] + + jd-gui: + description: "Visual Java decompiler with GUI — browse and search decompiled JAR/class files" + typical_usage: + - "jd-gui " + tags: [java, decompilation, gui] + + # === PYTHON REVERSING === + uncompyle6: + description: "Decompile Python bytecode (.pyc) back to source — supports Python 1.0 through 3.8" + typical_usage: + - "uncompyle6 " + - "uncompyle6 -o output/ " + tags: [python, decompilation, bytecode] + + pyinstxtractor-ng: + description: "Extract contents of PyInstaller-generated executables without needing matching Python version" + typical_usage: + - "pyinstxtractor-ng " + tags: [python, pyinstaller, extraction] + + # === OFFICE === + xlmmacrodeobfuscator: + description: "Deobfuscate Excel 4.0 (XLM) macros — these hide in hidden sheets and are hard to detect" + typical_usage: + - "xlmdeobfuscator --file " + - "xlmdeobfuscator --file --no-indent" + tags: [office, excel, xlm, macro, deobfuscation] + + pcode2code: + description: "Decompile VBA p-code from Office documents — works even when VBA source is removed" + typical_usage: + - "pcode2code " + tags: [office, vba, p-code, decompilation] + + msoffcrypto-tool: + description: "Decrypt password-protected Microsoft Office documents (OLE and OOXML)" + typical_usage: + - "msoffcrypto-tool -p infected " + - "msoffcrypto-tool -p password " + tags: [office, decryption, password] + + # === DEOBFUSCATION === + xortool: + description: "Analyze XOR-encoded data — guess key length and probable key bytes" + typical_usage: + - "xortool " + - "xortool-xor -s 'key' -i -o " + tags: [xor, deobfuscation, key-recovery] + + malchive: + description: "Multi-purpose malware analysis library — config extraction, deobfuscation, and static analysis" + typical_usage: + - "malchive " + tags: [malware, config-extraction, deobfuscation] + + dc3-mwcp: + description: "DC3 Malware Configuration Parser — extract C2 configs from known malware families" + typical_usage: + - "mwcp parse " + - "mwcp parse -p Emotet " + tags: [malware, config-extraction, c2] + + # === SHELLCODE === + shcode2exe: + description: "Convert raw shellcode to a Windows PE executable for analysis in disassemblers" + typical_usage: + - "shcode2exe " + tags: [shellcode, conversion, pe] + + # === COBALT STRIKE === + cs-decrypt-metadata-py: + description: "Decrypt Cobalt Strike beacon metadata from network captures" + typical_usage: + - "cs-decrypt-metadata.py " + tags: [cobalt-strike, decryption, metadata] + + cs-extract-key-py: + description: "Extract AES and HMAC encryption keys from Cobalt Strike beacon process memory dumps" + typical_usage: + - "cs-extract-key.py -f " + tags: [cobalt-strike, encryption, key-extraction] + + cs-parse-traffic-py: + description: "Decrypt and parse Cobalt Strike beacon network traffic using extracted keys" + typical_usage: + - "cs-parse-traffic.py -f -k " + tags: [cobalt-strike, traffic, decryption] + + cs-analyze-processdump-py: + description: "Analyze Cobalt Strike beacon process dumps for sleep mask encoding" + typical_usage: + - "cs-analyze-processdump.py " + tags: [cobalt-strike, sleep-mask, memory] + + malwoverview: + description: "Query VirusTotal, Hybrid Analysis, and MalwareBazaar for malware intelligence" + typical_usage: + - "malwoverview -v " + - "malwoverview -f " + tags: [threat-intel, virustotal, malware-bazaar] + + ioc-parser: + description: "Extract indicators of compromise (IOCs) from PDF reports and text files" + typical_usage: + - "ioc_parser " + tags: [ioc, extraction, threat-intel] + + # === EMAIL === + mail-parser: + description: "Parse raw SMTP email messages and extract headers, body, and attachments" + typical_usage: + - "python3 -c \"import mailparser; mail = mailparser.parse_from_file(''); print(mail.subject)\"" + tags: [email, parsing, attachments] + + msg-extractor: + description: "Extract emails and attachments from Microsoft Outlook MSG files" + typical_usage: + - "extract_msg " + - "extract_msg --out-dir output/ " + tags: [email, msg, outlook, attachments] + + # === DATA ANALYSIS === + ssdeep: + description: "Compute fuzzy hashes (CTPH) for finding similar files — useful for malware variant clustering" + typical_usage: + - "ssdeep " + - "ssdeep -m " + - "ssdeep -d " + tags: [hashing, fuzzy, similarity, clustering] + + clamav: + description: "Open-source antivirus — scan files for known malware signatures" + typical_usage: + - "clamscan " + - "clamscan -r /" + - "freshclam" + tags: [antivirus, scanning, signatures] + + unfurl: + description: "Deconstruct and decode URLs — reveal tracking parameters, encoded data, and redirect chains" + typical_usage: + - "unfurl parse " + tags: [url, decoding, phishing, tracking] diff --git a/data/remnux/tools-master.yaml b/data/remnux/tools-master.yaml new file mode 100644 index 0000000..ec80c62 --- /dev/null +++ b/data/remnux/tools-master.yaml @@ -0,0 +1,11823 @@ +metadata: + total_tools: 447 + in_remnux_count: 397 + help_tier_counts: + rich: 156 + standard: 118 + basic: 173 + source_coverage: + for610_only: 58 + remnux_docs_only: 51 + salt_states_only: 173 + all_three: 65 + for610_and_docs: 92 + for610_and_salt: 71 + docs_and_salt: 132 + no_coverage: 0 +tools: +- id: 1768-py + name: 1768.py + aliases: [] + description: Parse Cobalt Strike beacon configuration from shellcode or memory dumps + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Parse Cobalt Strike beacon configuration from shellcode or memory + dumps + category: yara-detection + labs: + - '3.4' + sections: + - 3 + typical_usage: + - 1768.py shellcode.bin + tags: + - cobalt-strike + - beacon + - c2-config + - didier-stevens + author: Didier Stevens + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Analyze Cobalt Strike beacons. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://blog.didierstevens.com/2021/05/22/update-1768-py-version-0-0-6/ + anchor: id-1768.py + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: 7-zip + name: 7-Zip + aliases: [] + description: Compress and decompress files using a variety of algorithms. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Compress and decompress files using a variety of algorithms. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://www.7-zip.org + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: 7zip + name: 7zip + aliases: + - remnux-packages-p7zip-full + - remnux-packages-7zz + - p7zip-full + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-p7zip-full + salt_state_path: remnux/packages/7zip.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: aeskeyfind + name: aeskeyfind + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: aeskeyfind + salt_state_path: remnux/packages/aeskeyfind.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: aeskeyfinder + name: AESKeyFinder + aliases: [] + description: Find 128-bit and 256-bit AES keys in a memory image. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Perform Memory Forensics + description: Find 128-bit and 256-bit AES keys in a memory image. + docs_url: https://docs.remnux.org/discover-the-tools/perform+memory+forensics + website: https://citp.princeton.edu/our-work/memory/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: amsiscriptcontentretrieval + name: AMSIScriptContentRetrieval + aliases: [] + description: Extract monitored script content from AMSI Event Trace logs + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Extract monitored script content from AMSI Event Trace logs + category: powershell-analysis + labs: + - '3.6' + sections: + - 3 + typical_usage: + - AMSIScriptContentRetrieval AMSITrace.etl > output.txt + tags: + - amsi + - script-extraction + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: androguard + name: androguard + aliases: + - remnux-python3-packages-androguard + description: Analyze Android APK files — extract permissions, activities, intents, + and decompile DEX code + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - androguard analyze + - androguard decompile -o output/ + - androgui.py + tags: + - android + - apk + - permissions + - decompilation + description: Analyze Android APK files — extract permissions, activities, intents, + and decompile DEX code + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-androguard + salt_state_path: remnux/python3-packages/androguard.sls + remnux_docs: + covered: true + category: Statically Analyze Code > Android + description: Examine Android files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + website: https://github.com/androguard/androguard + anchor: androguard + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: android-project-creator + name: android-project-creator + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: android-project-creator + salt_state_path: remnux/config/android-project-creator.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: androidprojectcreator + name: AndroidProjectCreator + aliases: [] + description: Convert an Android APK application file into an Android Studio project + for easier analysis. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Statically Analyze Code > Android + description: Convert an Android APK application file into an Android Studio + project for easier analysis. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + website: https://maxkersten.nl/projects/androidprojectcreator + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: anomy + name: anomy + aliases: [] + description: A wrapper around wget, ssh, sftp, ftp, and telnet to route these connections + through Tor to anonymize your traffic. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: script + package_name: anomy + salt_state_path: remnux/scripts/anomy.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Connecting + description: A wrapper around wget, ssh, sftp, ftp, and telnet to route these + connections through Tor to anonymize your traffic. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + website: https://github.com/izm1chael/Anomy + anchor: anomy + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: any-run + name: Any.run + aliases: [] + description: Interactive online malware analysis sandbox with real-time process + monitoring + in_remnux: false + platform: online + sources: + for610: + covered: true + description: Interactive online malware analysis sandbox with real-time process + monitoring + category: online-platforms + labs: [] + sections: + - 1 + typical_usage: + - https://any.run + tags: + - sandbox + - interactive + - real-time + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: api-monitor + name: API Monitor + aliases: [] + description: Monitor and record API calls made by processes + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Monitor and record API calls made by processes + category: behavioral-analysis + labs: [] + sections: + - 1 + typical_usage: + - apimonitor-x64.exe + tags: + - api-calls + - monitoring + - dynamic-analysis + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: apkid + name: apkid + aliases: + - remnux-python3-packages-apkid + description: Identify compilers, packers, and obfuscators used to protect Android + APK and DEX files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-apkid + salt_state_path: remnux/python3-packages/apkid.sls + remnux_docs: + covered: true + category: Statically Analyze Code > Android + description: Identify compilers, packers, and obfuscators used to protect Android + APK and DEX files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + website: https://github.com/rednaga/APKiD + anchor: apkid + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: apktool + name: apktool + aliases: [] + description: Decompile and recompile Android APK files — extract resources, smali + code, and manifest + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - apktool d -o output/ + - apktool b output/ -o rebuilt.apk + tags: + - android + - apk + - decompilation + - resources + description: Decompile and recompile Android APK files — extract resources, + smali code, and manifest + salt_states: + covered: true + install_method: manual + package_name: apktool + salt_state_path: remnux/tools/apktool.sls + remnux_docs: + covered: true + category: Statically Analyze Code > Android + description: Reverse-engineer Android APK files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + website: https://ibotpeaches.github.io/Apktool/ + anchor: apktool + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: apt-utils + name: apt-utils + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: apt-utils + salt_state_path: remnux/packages/apt-utils.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: archive-zip + name: archive-zip + aliases: + - cpan + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: perl + package_name: cpan + salt_state_path: remnux/perl-packages/ole-storagelite.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: autoconf + name: autoconf + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: autoconf + salt_state_path: remnux/packages/autoconf.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: autoit-ripper + name: autoit-ripper + aliases: + - remnux-python3-packages-autoit-ripper-install + description: Extract AutoIt scripts embedded in PE binaries. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-autoit-ripper-install + salt_state_path: remnux/python3-packages/autoit-ripper.sls + remnux_docs: + covered: true + category: Statically Analyze Code > Scripts + description: Extract AutoIt scripts embedded in PE binaries. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts + website: https://github.com/nazywam/AutoIt-Ripper + anchor: autoit-ripper + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: autologin + name: autologin + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: autologin + salt_state_path: remnux/theme/autologin.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: automake + name: automake + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: automake + salt_state_path: remnux/packages/automake.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: autoruns + name: Autoruns + aliases: [] + description: View and manage all autostart locations — startup programs, services, + drivers, scheduled tasks + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: View and manage all autostart locations — startup programs, services, + drivers, scheduled tasks + category: behavioral-analysis + labs: [] + sections: + - 1 + typical_usage: + - Autoruns.exe + tags: + - persistence + - autostart + - startup + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: baksmali + name: baksmali + aliases: [] + description: Disassembler for the dex format used by Dalvik, Android's Java + VM implementation. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: baksmali + salt_state_path: remnux/packages/baksmali.sls + remnux_docs: + covered: true + category: Statically Analyze Code > Android + description: Disassembler for the dex format used by Dalvik, Android's + Java VM implementation. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + website: https://bitbucket.org/JesusFreke/smali + anchor: baksmali + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: balbuzard + name: balbuzard + aliases: + - remnux-python3-packages-balbuzard-install + - balbuzard-3 + - '{{' + description: Extract and deobfuscate patterns from suspicious files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-debloat + salt_state_path: remnux/python3-packages/debloat.sls + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Extract and deobfuscate patterns from suspicious files. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://github.com/digitalsleuth/balbuzard + anchor: balbuzard + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: base64dump-py + name: base64dump.py + aliases: + - base64dump + description: Extract and decode Base64-encoded strings from files + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Extract and decode Base64-encoded strings from files + category: document-analysis + labs: + - '3.4' + - '4.5' + sections: + - 3 + - 4 + typical_usage: + - base64dump.py file.txt + - base64dump.py file.ps1 -n 10 + - base64dump.py file.ps1 -s 2 -d + tags: + - base64 + - decoding + - didier-stevens + author: Didier Stevens + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Locate and decode strings encoded in Base64 and other common encodings. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://blog.didierstevens.com/2020/07/03/update-base64dump-py-version-0-0-12/ + anchor: base64dump.py + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: bash-history + name: bash-history + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: bash-history + salt_state_path: remnux/config/bash-history.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: bash-rc + name: bash-rc + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: bash-rc + salt_state_path: remnux/config/bash-rc.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: bbcrack + name: bbcrack + aliases: [] + description: Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms + category: string-deobfuscation + labs: + - '5.2' + sections: + - 5 + typical_usage: + - bbcrack -l 1 specimen.dll + tags: + - xor + - rol + - add + - deobfuscation + - balbuzard + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: bearparser + name: bearparser + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: bearparser + salt_state_path: remnux/packages/bearparser.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: binary-ninja + name: Binary Ninja + aliases: [] + description: Commercial disassembler with strong automated analysis and scripting + in_remnux: false + platform: both + sources: + for610: + covered: true + description: Commercial disassembler with strong automated analysis and scripting + category: code-analysis + labs: [] + sections: + - 2 + typical_usage: + - binaryninja specimen.exe + tags: + - disassembly + - commercial + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: binee + name: binee + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: binee + salt_state_path: remnux/config/binee.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: binee-binary-emulation-environment + name: binee (Binary Emulation Environment) + aliases: [] + description: Analyze I/O operations of a suspicious PE file by emulating its execution. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Statically Analyze Code > PE Files + description: Analyze I/O operations of a suspicious PE file by emulating its + execution. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files + website: https://github.com/carbonblack/binee + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: binutils + name: binutils + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: binutils + salt_state_path: remnux/packages/binutils.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: binwalk + name: binwalk + aliases: [] + description: Analyze and extract embedded files and firmware images + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Analyze and extract embedded files and firmware images + category: utilities + labs: [] + sections: + - 1 + typical_usage: + - binwalk firmware.bin + - binwalk -e firmware.bin + tags: + - firmware + - extraction + - embedded-files + salt_states: + covered: true + install_method: apt + package_name: binwalk + salt_state_path: remnux/packages/binwalk.sls + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Extract and analyze firmware images. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://github.com/ReFirmLabs/binwalk + anchor: binwalk + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: box-js + name: box-js + aliases: [] + description: JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript + APIs + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: JavaScript sandbox for analyzing malicious scripts by emulating + browser/WScript APIs + category: emulation + labs: [] + sections: + - 3 + typical_usage: + - box-js --output-dir=/tmp suspicious.js + tags: + - javascript + - sandbox + - emulation + salt_states: + covered: true + install_method: npm + package_name: box-js + salt_state_path: remnux/node-packages/box-js.sls + remnux_docs: + covered: true + category: Dynamically Reverse-Engineer Code > Scripts + description: Analyze suspicious JavaScript scripts. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + website: https://github.com/CapacitorSet/box-js + anchor: box-js + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: brxor-py + name: brxor.py + aliases: [] + description: Brute-force XOR key detection for single-byte XOR-encoded strings + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Brute-force XOR key detection for single-byte XOR-encoded strings + category: string-deobfuscation + labs: + - '5.2' + sections: + - 5 + typical_usage: + - brxor.py specimen.dll + tags: + - xor + - brute-force + - deobfuscation + salt_states: + covered: true + install_method: pip + package_name: brxor.py + salt_state_path: remnux/python3-packages/brxor.sls + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Bruteforce XOR'ed strings to find those that are English words. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://github.com/REMnux/distro/blob/master/files/brxor.py + anchor: brxor.py + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: build-essential + name: build-essential + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: build-essential + salt_state_path: remnux/packages/build-essential.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: bulk-extractor + name: bulk-extractor + aliases: [] + description: Extract interesting strings from binary files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: bulk-extractor + salt_state_path: remnux/packages/bulk-extractor.sls + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Extract interesting strings from binary files. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://github.com/simsong/bulk_extractor/ + anchor: bulk_extractor + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: bundler + name: bundler + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: bundler + salt_state_path: remnux/packages/bundler.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: burp-suite + name: Burp Suite + aliases: + - Burp + description: Web application security proxy for intercepting and modifying HTTP/HTTPS + traffic + in_remnux: false + platform: both + sources: + for610: + covered: true + description: Web application security proxy for intercepting and modifying HTTP/HTTPS + traffic + category: network-analysis + labs: [] + sections: + - 3 + typical_usage: + - burpsuite + tags: + - http + - https + - proxy + - web-security + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: burp-suite-community-edition + name: Burp Suite Community Edition + aliases: [] + description: Investigate website interactions using this web proxy. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Explore Network Interactions > Monitoring + description: Investigate website interactions using this web proxy. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + website: https://portswigger.net + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: burpsuite-community + name: burpsuite-community + aliases: + - remnux-packages-burpsuite-community + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-burpsuite-community + salt_state_path: remnux/packages/burpsuite-community.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: bytehist + name: Bytehist + aliases: [] + description: Generate byte-usage histograms to visually identify packed or encrypted + sections in binaries + in_remnux: true + platform: both + sources: + for610: + covered: true + description: Generate byte-usage histograms to visually identify packed or encrypted + sections in binaries + category: static-analysis-pe + labs: [] + sections: + - 1 + - 4 + typical_usage: + - bytehist specimen.exe + tags: + - pe + - entropy + - packing-detection + - histogram + salt_states: + covered: true + install_method: manual + package_name: bytehist + salt_state_path: remnux/tools/bytehist.sls + remnux_docs: + covered: true + category: Statically Analyze Code > Unpacking + description: Generate byte-usage-histograms for all types of files with a focus + on PE files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking + website: https://www.cert.at/downloads/software/bytehist_en.html + anchor: bytehist + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: cabextract + name: cabextract + aliases: [] + description: Extract Microsoft cabinet (cab) files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: cabextract + salt_state_path: remnux/packages/cabextract.sls + remnux_docs: + covered: true + category: General Utilities + description: Extract Microsoft cabinet (cab) files. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + website: https://www.cabextract.org.uk + anchor: cabextract + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: capa + name: capa + aliases: [] + description: Identify malware capabilities mapped to MITRE ATT&CK framework and + Malware Behavior Catalog + in_remnux: true + platform: both + sources: + for610: + covered: true + description: Identify malware capabilities mapped to MITRE ATT&CK framework + and Malware Behavior Catalog + category: yara-detection + labs: + - '1.4' + - '5.4' + sections: + - 1 + - 5 + typical_usage: + - capa specimen.exe + - capa -vv specimen.exe + - capa -vv specimen.exe | grep -A7 'Suspended Process' + tags: + - capabilities + - mitre-attack + - automated-analysis + salt_states: + covered: true + install_method: manual + package_name: capa + salt_state_path: remnux/tools/capa.sls + remnux_docs: + covered: true + category: Statically Analyze Code > PE Files + description: Detect suspicious capabilities in PE files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files + website: https://github.com/mandiant/capa + anchor: capa + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: cape-sandbox + name: CAPE Sandbox + aliases: + - CAPE + description: Automated malware analysis sandbox with payload extraction and config + dumping + in_remnux: false + platform: online + sources: + for610: + covered: true + description: Automated malware analysis sandbox with payload extraction and + config dumping + category: online-platforms + labs: [] + sections: + - 1 + typical_usage: + - https://capesandbox.com + tags: + - sandbox + - automated + - payload-extraction + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: cast + name: cast + aliases: + - remnux-packages-cast + description: Install and manage SaltStack-based Linux distributions. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-cast + salt_state_path: remnux/packages/cast.sls + remnux_docs: + covered: true + category: General Utilities + description: Install and manage SaltStack-based Linux distributions. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + website: https://github.com/ekristen/cast + anchor: cast + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: cff-explorer + name: CFF Explorer + aliases: [] + description: View and edit PE file headers, sections, imports, and resources + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: View and edit PE file headers, sections, imports, and resources + category: static-analysis-pe + labs: [] + sections: + - 1 + typical_usage: + - CFF Explorer specimen.exe + tags: + - pe + - header-editing + - resources + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: cffi + name: cffi + aliases: + - remnux-python3-packages-cffi + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-cffi + salt_state_path: remnux/python3-packages/cffi.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: cfr + name: cfr + aliases: [] + description: Modern Java decompiler — handles Java 8+ features including lambdas + and try-with-resources + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - cfr --outputdir output/ + - cfr + tags: + - java + - decompilation + - jar + description: Modern Java decompiler — handles Java 8+ features including lambdas + and try-with-resources + salt_states: + covered: true + install_method: manual + package_name: cfr + salt_state_path: remnux/tools/cfr.sls + remnux_docs: + covered: true + category: Statically Analyze Code > Java + description: Java decompiler. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/java + website: https://www.benf.org/other/cfr/ + anchor: cfr + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: chepy + name: chepy + aliases: + - remnux-python3-packages-chepy + - remnux-python3-packages-chepy-extras + - chepy[extras] + description: Decode and otherwise analyze data using this command-line tool and + Python library. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-chepy + salt_state_path: remnux/python3-packages/chepy.sls + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Decode and otherwise analyze data using this command-line tool + and Python library. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://github.com/securisec/chepy + anchor: chepy + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: clamav + name: ClamAV + aliases: [] + description: Open-source antivirus — scan files for known malware signatures + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - clamscan + - clamscan -r / + - freshclam + tags: + - antivirus + - scanning + - signatures + description: Open-source antivirus — scan files for known malware signatures + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Scan files for malware signatures. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://www.clamav.net + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: clamav-daemon + name: clamav-daemon + aliases: + - clamav-freshclam + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: clamav-daemon + salt_state_path: remnux/packages/clamav-daemon.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: cobalt-strike-configuration-extractor-csce-and-parser + name: Cobalt Strike Configuration Extractor (CSCE) and Parser + aliases: [] + description: Analyze Cobalt Strike beacons. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Analyze Cobalt Strike beacons. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://github.com/strozfriedberg/cobaltstrike-config-extractor + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: compatibility + name: compatibility + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: compatibility + salt_state_path: remnux/theme/compatibility.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: cs-analyze-processdump-py + name: cs-analyze-processdump.py + aliases: [] + description: Analyze Cobalt Strike beacon process dumps for sleep mask encoding + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - cs-analyze-processdump.py + tags: + - cobalt-strike + - sleep-mask + - memory + description: Analyze Cobalt Strike beacon process dumps for sleep mask encoding + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Analyze Cobalt Strike beacon process dumps to detect sleep mask + encoding. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://blog.didierstevens.com/2021/11/25/new-tool-cs-analyze-processdump-py/ + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: cs-decrypt-metadata-py + name: cs-decrypt-metadata.py + aliases: [] + description: Decrypt Cobalt Strike beacon metadata from network captures + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - cs-decrypt-metadata.py + tags: + - cobalt-strike + - decryption + - metadata + description: Decrypt Cobalt Strike beacon metadata from network captures + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Decrypt Cobalt Strike metadata. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://blog.didierstevens.com/2021/11/12/update-cs-decrypt-metadata-py-version-0-0-2/ + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: cs-extract-key-py + name: cs-extract-key.py + aliases: [] + description: Extract AES and HMAC encryption keys from Cobalt Strike beacon process + memory dumps + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - cs-extract-key.py -f + tags: + - cobalt-strike + - encryption + - key-extraction + description: Extract AES and HMAC encryption keys from Cobalt Strike beacon + process memory dumps + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Extract AES and HMAC keys from Cobalt Strike beacon process memory. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/ + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: cs-parse-traffic-py + name: cs-parse-traffic.py + aliases: [] + description: Decrypt and parse Cobalt Strike beacon network traffic using extracted + keys + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - cs-parse-traffic.py -f -k + tags: + - cobalt-strike + - traffic + - decryption + description: Decrypt and parse Cobalt Strike beacon network traffic using extracted + keys + salt_states: + covered: false + remnux_docs: + covered: true + category: Explore Network Interactions > Monitoring + description: Decrypt and parse Cobalt Strike beacon network traffic. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + website: https://blog.didierstevens.com/2021/11/29/new-tool-cs-parse-traffic-py/ + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: cscript + name: CScript + aliases: + - cscript.exe + description: Windows Script Host command-line — execute JScript/VBScript for AMSI + monitoring + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Windows Script Host command-line — execute JScript/VBScript for + AMSI monitoring + category: javascript-analysis + labs: + - '3.6' + sections: + - 3 + typical_usage: + - cscript malicious.js + tags: + - javascript + - vbscript + - windows-script-host + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: curl + name: curl + aliases: [] + description: Transfer data to/from servers using various protocols + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Transfer data to/from servers using various protocols + category: utilities + labs: [] + sections: + - 1 + typical_usage: + - curl -L http://example.com + - curl -o output.bin http://example.com/file + tags: + - download + - http + - transfer + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-curl + salt_state_path: remnux/packages/curl.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Connecting + description: Interact with servers via supported protocols, including HTTP, + HTTPS, FTP, IMAP, etc. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + website: https://curl.se + anchor: curl + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: cut-bytes-py + name: cut-bytes.py + aliases: [] + description: Cut out a part of a data stream. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Cut out a part of a data stream. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://blog.didierstevens.com/2015/10/14/cut-bytes-py/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: cutter + name: Cutter + aliases: [] + description: Open-source reverse engineering platform — Qt-based GUI for radare2 + in_remnux: true + platform: both + sources: + for610: + covered: true + description: Open-source reverse engineering platform — Qt-based GUI for radare2 + category: code-analysis + labs: [] + sections: + - 2 + typical_usage: + - cutter specimen.exe + tags: + - disassembly + - radare2 + - open-source + salt_states: + covered: true + install_method: manual + package_name: cutter + salt_state_path: remnux/tools/cutter.sls + remnux_docs: + covered: true + category: Statically Analyze Code > General + description: Reverse engineering platform powered by Rizin. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/general + website: https://cutter.re + anchor: cutter + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: cyberchef + name: CyberChef + aliases: [] + description: Web-based data transformation tool — decode Base64, XOR, hex, decompress, + and chain operations + in_remnux: true + platform: both + sources: + for610: + covered: true + description: Web-based data transformation tool — decode Base64, XOR, hex, decompress, + and chain operations + category: string-deobfuscation + labs: + - '1.5' + - '3.8' + - '3.12' + sections: + - 1 + - 3 + typical_usage: + - cyberchef + tags: + - decoding + - encoding + - transformation + - web-based + salt_states: + covered: true + install_method: manual + package_name: cyberchef + salt_state_path: remnux/tools/cyberchef.sls + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Decode and otherwise analyze data using this browser app. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://github.com/gchq/CyberChef/ + anchor: cyberchef + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: dc3-mwcp + name: dc3-mwcp + aliases: + - remnux-python3-packages-dc3-mwcp + - mwcp + description: DC3 Malware Configuration Parser — extract C2 configs from known malware + families + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - mwcp parse + - mwcp parse -p Emotet + tags: + - malware + - config-extraction + - c2 + description: DC3 Malware Configuration Parser — extract C2 configs from known + malware families + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-dc3-mwcp + salt_state_path: remnux/python3-packages/dc3-mwcp.sls + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Parsing configuration information from malware. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://github.com/Defense-Cyber-Crime-Center/DC3-mwcp + anchor: dc3-mwcp + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: de4dot + name: de4dot + aliases: [] + description: .NET deobfuscator — remove obfuscation from .NET assemblies + in_remnux: true + platform: both + sources: + for610: + covered: true + description: .NET deobfuscator — remove obfuscation from .NET assemblies + category: dotnet-analysis + labs: + - '4.8' + sections: + - 4 + typical_usage: + - de4dot obfuscated.exe + tags: + - dotnet + - deobfuscation + salt_states: + covered: false + remnux_docs: + covered: true + category: Statically Analyze Code > .NET + description: Deobfuscate and unpack. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net + website: https://github.com/0xd4d/de4dot + anchor: de4dot + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: decode-vbe-py + name: decode-vbe.py + aliases: [] + description: Decode encoded VBS scripts (VBE). + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Statically Analyze Code > Scripts + description: Decode encoded VBS scripts (VBE). + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts + website: https://blog.didierstevens.com/2016/03/29/decoding-vbe/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: decompyle + name: Decompyle++ + aliases: [] + description: Python bytecode disassembler and decompiler. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Statically Analyze Code > Python + description: Python bytecode disassembler and decompiler. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/python + website: https://github.com/zrax/pycdc + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: default-jdk + name: default-jdk + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: default-jdk + salt_state_path: remnux/packages/default-jdk.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: default-jre + name: default-jre + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: default-jre + salt_state_path: remnux/packages/default-jre.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: dex2jar + name: dex2jar + aliases: [] + description: Examine Dalvik Executable (dex) files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: dex2jar + salt_state_path: remnux/packages/dex2jar.sls + remnux_docs: + covered: true + category: Statically Analyze Code > Android + description: Examine Dalvik Executable (dex) files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + website: https://github.com/pxb1988/dex2jar + anchor: dex2jar + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: dexray + name: dexray + aliases: [] + description: Extract and decode data from antivirus quarantine files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: script + package_name: dexray + salt_state_path: remnux/scripts/dexray.sls + remnux_docs: + covered: true + category: Gather and Analyze Data + description: Extract and decode data from antivirus quarantine files. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + website: https://www.hexacorn.com/blog/category/software-releases/dexray/ + anchor: dexray + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: dialog + name: dialog + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: dialog + salt_state_path: remnux/packages/dialog.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: didier-stevens-suite + name: didier-stevens-scripts + aliases: + - '{{' + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-dissect-fusepy-prereq + salt_state_path: remnux/python3-packages/dissect.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: diec + name: diec + aliases: + - Detect It Easy + - DIE + description: Detect packers, compilers, and tools used to create executables + in_remnux: true + platform: both + sources: + for610: + covered: true + description: Detect packers, compilers, and tools used to create executables + category: static-analysis-pe + labs: + - '4.1' + sections: + - 1 + - 4 + typical_usage: + - diec specimen.exe + tags: + - pe + - packer-detection + - compiler-detection + salt_states: + covered: true + install_method: manual + package_name: remnux-tools-detect-it-easy-install + salt_state_path: remnux/tools/detect-it-easy.sls + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Determine types of files and examine file properties. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://github.com/horsicq/Detect-It-Easy + anchor: detect-it-easy + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: disitool + name: disitool + aliases: [] + description: Manipulate embedded digital signatures. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Manipulate embedded digital signatures. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://blog.didierstevens.com/programs/disitool/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: display + name: display + aliases: + - set-scaling + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: set-scaling + salt_state_path: remnux/config/display.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: dissect + name: dissect + aliases: [] + description: Perform a variety of forensics and incident response tasks using this + DFIR framework and toolset. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Gather and Analyze Data + description: Perform a variety of forensics and incident response tasks using + this DFIR framework and toolset. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + website: https://github.com/fox-it/dissect + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: distro-info + name: distro-info + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: distro-info + salt_state_path: remnux/python3-packages/distro-info.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: dllcharacteristics + name: dllcharacteristics + aliases: + - dllcharacteristics.py + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: script + package_name: dllcharacteristics.py + salt_state_path: remnux/scripts/dllcharacteristics.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: dnfile + name: dnfile + aliases: + - remnux-python3-packages-dnfile + description: Analyze static properties of. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-dnfile + salt_state_path: remnux/python3-packages/dnfile.sls + remnux_docs: + covered: true + category: Examine Static Properties > .NET + description: Analyze static properties of. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/.net + website: https://github.com/malwarefrank/dnfile + anchor: dnfile + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: dnslib + name: dnslib + aliases: + - remnux-python3-packages-dnslib + description: Python library to encode/decode DNS wire-format packets. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-dnslib + salt_state_path: remnux/python3-packages/dnslib.sls + remnux_docs: + covered: true + category: Gather and Analyze Data + description: Python library to encode/decode DNS wire-format packets. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + website: https://github.com/paulc/dnslib + anchor: dnslib + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: dnspyex + name: dnSpyEx + aliases: + - dnSpy + description: .NET debugger and decompiler — debug obfuscated/packed .NET malware + with breakpoints + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: .NET debugger and decompiler — debug obfuscated/packed .NET malware + with breakpoints + category: dotnet-analysis + labs: + - '4.8' + sections: + - 4 + typical_usage: + - dnSpyEx.exe assembly.exe + tags: + - dotnet + - debugger + - decompiler + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: dnsresolver-py + name: dnsresolver.py + aliases: [] + description: DNS resolver tool for dynamic analysis with wildcard and tracking support. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Explore Network Interactions > Services + description: DNS resolver tool for dynamic analysis with wildcard and tracking + support. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + website: https://blog.didierstevens.com/2021/07/15/new-tool-dnsresolver-py/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: docker + name: docker + aliases: + - docker-docker-ce + - docker-engine + - docker-ce + description: Run and manage containers. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: manual + package_name: docker-compose + salt_state_path: remnux/tools/docker-compose.sls + remnux_docs: + covered: true + category: General Utilities + description: Run and manage containers. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + website: https://www.docker.com + anchor: docker + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: dog + name: dog + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: dog + salt_state_path: remnux/theme/dog.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: dos2unix + name: dos2unix + aliases: [] + description: Convert text files with Windows or macOS line breaks to Unix line breaks + and vice versa. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: dos2unix + salt_state_path: remnux/packages/dos2unix.sls + remnux_docs: + covered: true + category: View or Edit Files + description: Convert text files with Windows or macOS line breaks to Unix line + breaks and vice versa. + docs_url: https://docs.remnux.org/discover-the-tools/view+or+edit+files + website: https://waterlan.home.xs4all.nl/dos2unix.html + anchor: dos2unix + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: dot-cache + name: dot-cache + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: dot-cache + salt_state_path: remnux/config/dot-cache.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: dot-config + name: dot-config + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: dot-config + salt_state_path: remnux/config/dot-config.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: dot-cpan + name: dot-cpan + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: dot-cpan + salt_state_path: remnux/config/dot-cpan.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: dot-dbus + name: dot-dbus + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: dot-dbus + salt_state_path: remnux/config/dot-dbus.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: dot-local + name: dot-local + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: dot-local + salt_state_path: remnux/config/dot-local.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: dotdumper + name: DotDumper + aliases: [] + description: Execution monitor and memory extractor for automatic .NET malware unpacking + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Execution monitor and memory extractor for automatic .NET malware + unpacking + category: dotnet-analysis + labs: [] + sections: + - 4 + typical_usage: + - DotDumper.exe -file chatroom.exe + tags: + - dotnet + - unpacking + - memory-extraction + - automated + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: dotnet-runtime-3-1 + name: dotnet-runtime-3-1 + aliases: + - dotnet3 + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: dotnet3 + salt_state_path: remnux/packages/dotnet-runtime-3-1.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: dotnetfile + name: dotnetfile + aliases: + - dotnetfile_dump.py + description: Analyze static properties of. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: dotnetfile_dump.py + salt_state_path: remnux/python3-packages/dotnetfile.sls + remnux_docs: + covered: true + category: Examine Static Properties > .NET + description: Analyze static properties of. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/.net + website: https://github.com/pan-unit42/dotnetfile + anchor: dotnetfile + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: dotpeek + name: dotPeek + aliases: [] + description: Free JetBrains .NET decompiler — alternative to ILSpy for viewing .NET + source + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Free JetBrains .NET decompiler — alternative to ILSpy for viewing + .NET source + category: dotnet-analysis + labs: [] + sections: + - 4 + typical_usage: + - dotPeek.exe assembly.exe + tags: + - dotnet + - decompiler + - jetbrains + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: droidlysis + name: droidlysis + aliases: + - remnux-python3-packages-droidlysis + description: Perform static analysis of Android applications. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-droidlysis + salt_state_path: remnux/python3-packages/droidlysis.sls + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Perform static analysis of Android applications. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://github.com/cryptax/droidlysis + anchor: droidlysis + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: edb-debugger + name: edb-debugger + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: edb-debugger + salt_state_path: remnux/packages/edb-debugger.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: emldump-py + name: emldump.py + aliases: + - emldump + description: Parse and analyze EML email message files + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Parse and analyze EML email message files + category: document-analysis + labs: [] + sections: + - 3 + typical_usage: + - emldump.py message.eml + tags: + - email + - eml + - didier-stevens + author: Didier Stevens + salt_states: + covered: false + remnux_docs: + covered: true + category: Analyze Documents > Email Messages + description: Parse and analyze EML files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages + website: https://blog.didierstevens.com/2020/11/29/update-emldump-py-version-0-0-11/ + anchor: emldump.py + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: enchant + name: enchant + aliases: + - remnux-packages-enchant + - enchant-2 + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-enchant + salt_state_path: remnux/packages/enchant.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: epic-irc-client + name: EPIC IRC Client + aliases: [] + description: Examine IRC activities with this IRC client. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Explore Network Interactions > Connecting + description: Examine IRC activities with this IRC client. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + website: https://www.epicsol.org/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: epic5 + name: epic5 + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: epic5 + salt_state_path: remnux/packages/epic5.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: evilclippy + name: evilclippy + aliases: [] + description: Remove VBA project password protection and manipulate Office macro + settings + in_remnux: true + platform: both + sources: + for610: + covered: true + description: Remove VBA project password protection and manipulate Office macro + settings + category: document-analysis + labs: [] + sections: + - 3 + typical_usage: + - evilclippy -uu document.docm + tags: + - office + - vba + - password-removal + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-evilclippy + salt_state_path: remnux/packages/evilclippy.sls + remnux_docs: + covered: true + category: Analyze Documents > Microsoft Office + description: Modify aspects of Microsoft Office documents. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + website: https://github.com/outflanknl/EvilClippy + anchor: evilclippy + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: evince + name: evince + aliases: [] + description: View documents in a variety of formats, including PDF. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: evince + salt_state_path: remnux/packages/evince.sls + remnux_docs: + covered: true + category: View or Edit Files + description: View documents in a variety of formats, including PDF. + docs_url: https://docs.remnux.org/discover-the-tools/view+or+edit+files + website: https://wiki.gnome.org/Apps/Evince + anchor: evince + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: ex-pe-xor + name: ex-pe-xor + aliases: + - ex-pe-xor.py + description: Search an XOR'ed file for indications of executable binaries. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: script + package_name: ex-pe-xor.py + salt_state_path: remnux/scripts/ex-pe-xor.sls + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Search an XOR'ed file for indications of executable binaries. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html + anchor: ex_pe_xor.py + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: exeinfo-pe + name: ExeInfo PE + aliases: + - ExeInfoPE + - ExeInfo + description: Identify tools and packers used to create PE executables + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Identify tools and packers used to create PE executables + category: static-analysis-pe + labs: + - '3.12' + sections: + - 1 + - 3 + typical_usage: + - ExeInfoPE.exe specimen.exe + tags: + - pe + - packer-detection + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: exfat-utils + name: exfat-utils + aliases: + - remnux-packages-exfat-utils + - exfatprogs + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-exfat-utils + salt_state_path: remnux/packages/exfat-utils.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: exiftool + name: exiftool + aliases: [] + description: Extract metadata from files (PDF, images, documents, executables) + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Extract metadata from files (PDF, images, documents, executables) + category: static-analysis-pe + labs: [] + sections: + - 1 + typical_usage: + - exiftool document.pdf + - exiftool specimen.exe + tags: + - metadata + - triage + salt_states: + covered: true + install_method: perl + package_name: perl + salt_state_path: remnux/perl-packages/exiftool.sls + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Tool to read from, write to, and edit EXIF metadata of various + file types. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://exiftool.org/ + anchor: exiftool + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: fakedns + name: fakedns + aliases: [] + description: Fake DNS server that resolves all queries to a specified IP for traffic + interception + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Fake DNS server that resolves all queries to a specified IP for + traffic interception + category: network-analysis + labs: + - '1.3' + - '1.6' + - '1.7' + - '1.8' + sections: + - 1 + typical_usage: + - fakedns + tags: + - dns + - spoofing + - interception + - lab-setup + salt_states: + covered: true + install_method: manual + package_name: fakedns.py + salt_state_path: remnux/tools/fakedns.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Services + description: Respond to DNS queries with the specified IP address. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + website: https://github.com/SocialExploits/fakedns/blob/main/fakedns.py + anchor: fakedns + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: fakemail + name: fakemail + aliases: + - remnux-python3-packages-fakemail + description: Intercept and examine SMTP email activity with this fake SMTP server. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-fakemail + salt_state_path: remnux/python3-packages/fakemail.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Services + description: Intercept and examine SMTP email activity with this fake SMTP server. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + website: https://hg.sr.ht/~olly/fakemail + anchor: fakemail + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: fakenet-ng + name: fakenet-ng + aliases: + - remnux-python3-package-fakenet-ng + - git+https://github.com/mandiant/flare-fakenet-ng.git@{{ + - '{{' + description: Emulate network services (HTTP, DNS, SMTP, FTP) to intercept and analyze + malware traffic dynamically + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - fakenet + - fakenet -c custom_config.ini + tags: + - network + - emulation + - dynamic-analysis + - c2 + description: Emulate network services (HTTP, DNS, SMTP, FTP) to intercept and + analyze malware traffic dynamically + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-xlmmacrodeobfuscator + salt_state_path: remnux/python3-packages/xlmmacrodeobfuscator.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Services + description: Emulate common network services and interact with malware. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + website: https://github.com/mandiant/flare-fakenet-ng + anchor: fakenet-ng + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: feh + name: feh + aliases: [] + description: Lightweight image viewer for viewing extracted images from documents + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Lightweight image viewer for viewing extracted images from documents + category: utilities + labs: + - '3.1' + sections: + - 3 + typical_usage: + - feh extracted_image.jpg + tags: + - image-viewer + salt_states: + covered: true + install_method: apt + package_name: feh + salt_state_path: remnux/packages/feh.sls + remnux_docs: + covered: true + category: View or Edit Files + description: View images. + docs_url: https://docs.remnux.org/discover-the-tools/view+or+edit+files + website: https://feh.finalrewind.org + anchor: feh + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: fiddler + name: Fiddler + aliases: [] + description: HTTP/HTTPS debugging proxy for intercepting, inspecting, and modifying + web traffic + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: HTTP/HTTPS debugging proxy for intercepting, inspecting, and modifying + web traffic + category: network-analysis + labs: + - '3.2' + - '3.8' + - '3.9' + - '3.10' + - '3.11' + - '3.12' + - '4.5' + sections: + - 3 + - 4 + typical_usage: + - Fiddler.exe + tags: + - http + - https + - proxy + - web-traffic + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: file + name: file + aliases: [] + description: Determine file type and MIME type using magic bytes + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Determine file type and MIME type using magic bytes + category: static-analysis-pe + labs: + - '3.4' + - '3.5' + sections: + - 3 + typical_usage: + - file specimen.exe + - file document.doc + tags: + - file-identification + - triage + salt_states: + covered: true + install_method: apt + package_name: file + salt_state_path: remnux/packages/file.sls + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Identify file type using "magic" numbers. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://github.com/file/file + anchor: file + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: file-magic-py + name: file-magic.py + aliases: [] + description: Identify file types using the Python magic module. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Identify file types using the Python magic module. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://blog.didierstevens.com/2018/07/11/new-tool-file-magic-py/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: filescan-io + name: FileScan.IO + aliases: [] + description: Online malware analysis sandbox with multi-format support + in_remnux: false + platform: online + sources: + for610: + covered: true + description: Online malware analysis sandbox with multi-format support + category: online-platforms + labs: [] + sections: + - 1 + typical_usage: + - https://filescan.io + tags: + - sandbox + - online + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: firefox + name: firefox + aliases: [] + description: Web browser. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: firefox + salt_state_path: remnux/packages/firefox.sls + remnux_docs: + covered: true + category: General Utilities + description: Web browser. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + website: https://www.mozilla.org/firefox/ + anchor: firefox + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: flare-floss + name: flare-floss + aliases: + - remnux-packages-flare-floss + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-flare-floss + salt_state_path: remnux/packages/flare-floss.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: flex + name: flex + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: flex + salt_state_path: remnux/packages/flex.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: floss + name: FLOSS + aliases: + - floss + description: Automatically extract obfuscated strings from malware using static + analysis, stack strings, and emulation + in_remnux: true + platform: both + sources: + for610: + covered: true + description: Automatically extract obfuscated strings from malware using static + analysis, stack strings, and emulation + category: string-deobfuscation + labs: + - '5.2' + - '5.3' + sections: + - 5 + typical_usage: + - floss specimen.exe + - floss specimen.exe > strings-output.txt + - floss --no-static -- specimen.exe + tags: + - strings + - deobfuscation + - automated + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Extract and deobfuscate strings from PE executables. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://github.com/mandiant/flare-floss + anchor: floss + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: format-bytes-py + name: format-bytes.py + aliases: [] + description: Decompose structured binary data with format strings. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Decompose structured binary data with format strings. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://blog.didierstevens.com/2020/02/17/update-format-bytes-py-version-0-0-13/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: frida + name: Frida + aliases: [] + description: Dynamic instrumentation toolkit — hook and trace running processes, + intercept function calls in real time + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - frida -l hook.js + - frida-trace -i 'recv*' + - frida-ps -U + tags: + - dynamic + - instrumentation + - hooking + - tracing + description: Dynamic instrumentation toolkit — hook and trace running processes, + intercept function calls in real time + salt_states: + covered: false + remnux_docs: + covered: true + category: Dynamically Reverse-Engineer Code > General + description: Trace the execution of a process to analyze its behavior. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general + website: https://frida.re + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: galculator + name: galculator + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: galculator + salt_state_path: remnux/packages/galculator.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: gdb + name: gdb + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: gdb + salt_state_path: remnux/packages/gdb.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: gdm3 + name: gdm3 + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: gdm3 + salt_state_path: remnux/theme/core/gdm3.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: ghidra + name: Ghidra + aliases: [] + description: Open-source disassembler and decompiler from NSA with scripting, function + graphs, and data type management + in_remnux: true + platform: both + sources: + for610: + covered: true + description: Open-source disassembler and decompiler from NSA with scripting, + function graphs, and data type management + category: code-analysis + labs: + - '2.1' + - '2.2' + - '2.3' + - '2.4' + - '2.5' + - '2.6' + - '2.7' + - '2.8' + - '4.9' + - '5.2' + - '5.4' + - '5.5' + - '5.6' + - '5.7' + - '5.9' + sections: + - 2 + - 4 + - 5 + typical_usage: + - ghidra + tags: + - disassembly + - decompilation + - code-analysis + - function-graph + salt_states: + covered: true + install_method: manual + package_name: ghidrassist-mcp + salt_state_path: remnux/tools/ghidrassist-mcp.sls + remnux_docs: + covered: true + category: Statically Analyze Code > General + description: Software reverse engineering tool suite. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/general + website: https://ghidra-sre.org + anchor: ghidra + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: ghidrassistmcp + name: GhidrAssistMCP + aliases: [] + description: MCP server for AI-assisted reverse engineering in Ghidra. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Use Artificial Intelligence + description: MCP server for AI-assisted reverse engineering in Ghidra. + docs_url: https://docs.remnux.org/discover-the-tools/use+artificial+intelligence + website: https://github.com/jtang613/GhidrAssistMCP + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: gift + name: gift + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: gift + salt_state_path: remnux/repos/gift.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: git + name: git + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: git + salt_state_path: remnux/packages/git.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: gnome-calculator + name: GNOME Calculator + aliases: [] + description: Calculator. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: General Utilities + description: Calculator. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + website: https://wiki.gnome.org/Apps/Calculator + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: gnome-session + name: gnome-session + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: gnome-session + salt_state_path: remnux/theme/core/gnome-session.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: gnome-shell-extensions + name: gnome-shell-extensions + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: gnome-shell-extensions + salt_state_path: remnux/theme/core/gnome-shell-extensions.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: gnome-terminal + name: gnome-terminal + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: gnome-terminal + salt_state_path: remnux/theme/core/gnome-terminal.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: gnome-tweaks + name: gnome-tweaks + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: gnome-tweaks + salt_state_path: remnux/theme/core/gnome-tweaks.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: gnu-wget + name: GNU Wget + aliases: [] + description: Interact with servers via HTTP, HTTPS, FTP, and FTPS using this command-line + tool. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Explore Network Interactions > Connecting + description: Interact with servers via HTTP, HTTPS, FTP, and FTPS using this + command-line tool. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + website: https://www.gnu.org/software/wget/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: gnutls-bin + name: gnutls-bin + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: gnutls-bin + salt_state_path: remnux/packages/gnutls-bin.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: goresym + name: goresym + aliases: + - GoReSym + description: Extract metadata and symbols from Go binaries, including stripped ones. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: manual + package_name: GoReSym + salt_state_path: remnux/tools/goresym.sls + remnux_docs: + covered: true + category: Examine Static Properties > Go + description: Extract metadata and symbols from Go binaries, including stripped + ones. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/go + website: https://github.com/mandiant/GoReSym + anchor: goresym + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: graphviz + name: graphviz + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: graphviz + salt_state_path: remnux/packages/graphviz.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: grub-kvm + name: grub-kvm + aliases: + - update-grub + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: update-grub + salt_state_path: remnux/config/grub-kvm.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: guest-tools + name: guest-tools + aliases: + - open-vm-tools-desktop + - qemu-guest-agent + - spice-vdagent + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: manual + package_name: open-vm-tools-desktop + salt_state_path: remnux/theme/core/guest-tools.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: gunzip + name: gunzip + aliases: [] + description: Decompress gzip-compressed data (often used in multi-stage payload + extraction) + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Decompress gzip-compressed data (often used in multi-stage payload + extraction) + category: utilities + labs: + - '3.4' + sections: + - 3 + typical_usage: + - gunzip -c compressed.gz > output.bin + tags: + - compression + - extraction + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: hachoir + name: Hachoir + aliases: [] + description: View, edit, and carve contents of various binary file types. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > General + description: View, edit, and carve contents of various binary file types. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://github.com/vstinner/hachoir + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: hash-id + name: Hash ID + aliases: [] + description: Identify different types of hashes. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Identify different types of hashes. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://github.com/blackploit/hash-identifier + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: hex-to-bin-py + name: hex-to-bin.py + aliases: [] + description: Convert hexadecimal text dumps to binary data. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Convert hexadecimal text dumps to binary data. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://blog.didierstevens.com/2020/04/19/update-hex-to-bin-py-version-0-0-5/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: hexdump + name: hexdump + aliases: [] + description: Display file content in hexadecimal format + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Display file content in hexadecimal format + category: utilities + labs: [] + sections: + - 1 + typical_usage: + - hexdump -C binary.dat + tags: + - hex + - binary-viewing + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: httpd + name: httpd + aliases: + - accept-all-ips + description: Simple HTTP server on REMnux for simulating C2 web servers + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Simple HTTP server on REMnux for simulating C2 web servers + category: network-analysis + labs: + - '1.3' + - '1.6' + - '1.8' + sections: + - 1 + typical_usage: + - httpd + tags: + - http + - web-server + - c2-simulation + - lab-setup + salt_states: + covered: true + install_method: script + package_name: accept-all-ips + salt_state_path: remnux/scripts/accept-all-ips.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Services + description: Accept connections to all IPv4 and IPv6 addresses and redirect + it to the corresponding local port. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + website: https://github.com/REMnux/distro/blob/master/files/accept-all-ips + anchor: accept-all-ips + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: hybrid-analysis + name: Hybrid Analysis + aliases: [] + description: CrowdStrike automated sandbox for malware detonation and behavioral + reporting + in_remnux: false + platform: online + sources: + for610: + covered: true + description: CrowdStrike automated sandbox for malware detonation and behavioral + reporting + category: online-platforms + labs: [] + sections: + - 1 + typical_usage: + - https://hybrid-analysis.com + tags: + - sandbox + - behavioral + - crowdstrike + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: i386-architecture + name: i386-architecture + aliases: + - libc6 + - i386 + - dpkg + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libc6 + salt_state_path: remnux/packages/i386-architecture.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: ibus + name: ibus + aliases: [] + description: Adjust input methods for the GUI. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: ibus + salt_state_path: remnux/packages/ibus.sls + remnux_docs: + covered: true + category: General Utilities + description: Adjust input methods for the GUI. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + website: https://github.com/ibus/ibus + anchor: ibus + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: ida + name: IDA + aliases: + - IDA Pro + - IDA Freeware + description: Commercial interactive disassembler and debugger from Hex-Rays + in_remnux: false + platform: both + sources: + for610: + covered: true + description: Commercial interactive disassembler and debugger from Hex-Rays + category: code-analysis + labs: [] + sections: + - 2 + typical_usage: + - ida64.exe specimen.exe + tags: + - disassembly + - decompilation + - commercial + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: ilspy + name: ILSpy + aliases: [] + description: .NET assembly decompiler — view C#/VB.NET source from compiled .NET + binaries + in_remnux: true + platform: windows + sources: + for610: + covered: true + description: .NET assembly decompiler — view C#/VB.NET source from compiled + .NET binaries + category: dotnet-analysis + labs: + - '3.12' + - '4.8' + sections: + - 3 + - 4 + typical_usage: + - ILSpy.exe assembly.exe + tags: + - dotnet + - decompiler + - csharp + salt_states: + covered: true + install_method: apt + package_name: ilspycmd + salt_state_path: remnux/packages/ilspy.sls + remnux_docs: + covered: true + category: Statically Analyze Code > .NET + description: Examine and decompile. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net + website: https://github.com/icsharpcode/ILSpy + anchor: ilspy + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: ilspycmd + name: ilspycmd + aliases: [] + description: Command-line .NET decompiler (CLI version of ILSpy) + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Command-line .NET decompiler (CLI version of ILSpy) + category: dotnet-analysis + labs: + - '4.8' + sections: + - 4 + typical_usage: + - ilspycmd assembly.exe > decompiled.cs + tags: + - dotnet + - decompiler + - cli + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: imagemagick + name: imagemagick + aliases: [] + description: View and manipulate image and related files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: imagemagick + salt_state_path: remnux/packages/imagemagick.sls + remnux_docs: + covered: true + category: View or Edit Files + description: View and manipulate image and related files. + docs_url: https://docs.remnux.org/discover-the-tools/view+or+edit+files + website: https://imagemagick.org/ + anchor: imagemagick + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: inetsim + name: INetSim + aliases: [] + description: Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for malware + analysis in isolated labs + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for malware + analysis in isolated labs + category: network-analysis + labs: + - '1.7' + sections: + - 1 + typical_usage: + - inetsim + tags: + - service-emulation + - network-simulation + - lab-setup + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-inetsim + salt_state_path: remnux/packages/inetsim.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Services + description: Emulate common network services and interact with malware. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + website: https://www.inetsim.org/ + anchor: inetsim + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: inspircd + name: inspircd + aliases: + - remnux-packages-inspircd-install + description: Examine IRC activity with this IRC server. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-inspircd-install + salt_state_path: remnux/packages/inspircd.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Services + description: Examine IRC activity with this IRC server. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + website: https://www.inspircd.org/ + anchor: inspircd-3 + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: intezer-analyze + name: Intezer Analyze + aliases: [] + description: Automated code analysis platform for malware classification using code + reuse detection + in_remnux: false + platform: online + sources: + for610: + covered: true + description: Automated code analysis platform for malware classification using + code reuse detection + category: online-platforms + labs: [] + sections: + - 1 + typical_usage: + - https://analyze.intezer.com + tags: + - code-reuse + - classification + - automated + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: ioc-parser + name: ioc-parser + aliases: + - remnux-python3-packages-ioc-parser + - git+https://github.com/buffer/ioc_parser.git + - iocp + description: Extract indicators of compromise (IOCs) from PDF reports and text files + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - ioc_parser + tags: + - ioc + - extraction + - threat-intel + description: Extract indicators of compromise (IOCs) from PDF reports and text + files + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-ioc-parser + salt_state_path: remnux/python3-packages/ioc-parser.sls + remnux_docs: + covered: true + category: Gather and Analyze Data + description: Extract IOCs from security report PDFs. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + website: https://github.com/buffer/ioc_parser + anchor: ioc_parser + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: iproute2 + name: iproute2 + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: iproute2 + salt_state_path: remnux/packages/iproute2.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: iptables + name: iptables + aliases: [] + description: Linux firewall and NAT tool for redirecting IP-based malware traffic + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Linux firewall and NAT tool for redirecting IP-based malware traffic + category: network-analysis + labs: + - '1.8' + sections: + - 1 + typical_usage: + - iptables -t nat -A PREROUTING -i ens32 -j REDIRECT + tags: + - firewall + - nat + - traffic-redirection + salt_states: + covered: true + install_method: apt + package_name: iptables + salt_state_path: remnux/packages/iptables.sls + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: true + help_tier: rich +- id: iputils-ping + name: iputils-ping + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: iputils-ping + salt_state_path: remnux/packages/iputils-ping.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: ipwhois + name: ipwhois + aliases: [] + description: Retrieve and parse whois data for IP addresses. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Gather and Analyze Data + description: Retrieve and parse whois data for IP addresses. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + website: https://github.com/secynic/ipwhois + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: ipython3 + name: ipython3 + aliases: + - remnux-packages-ipython3 + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-ipython3 + salt_state_path: remnux/packages/ipython3.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: jadx + name: jadx + aliases: + - jadx-gui + description: Decompile Android DEX/APK to Java source code with a GUI or command + line + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - jadx -d output/ + - jadx-gui + tags: + - android + - dex + - java + - decompilation + description: Decompile Android DEX/APK to Java source code with a GUI or command + line + salt_states: + covered: true + install_method: manual + package_name: jadx + salt_state_path: remnux/tools/jadx.sls + remnux_docs: + covered: true + category: Statically Analyze Code > Android + description: Generate Java source code from Dalvik Executable (dex) and Android + APK files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android + website: https://github.com/skylot/jadx + anchor: jadx + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: java-idx-parser + name: java-idx-parser + aliases: + - idx_parser.py + description: Analyze Java IDX files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: script + package_name: idx_parser.py + salt_state_path: remnux/scripts/java-idx-parser.sls + remnux_docs: + covered: true + category: Statically Analyze Code > Java + description: Analyze Java IDX files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/java + website: https://github.com/digitalsleuth/Java_IDX_Parser + anchor: java-idx-parser + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: javassist + name: Javassist + aliases: [] + description: Java bytecode engineering toolkit/library. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Statically Analyze Code > Java + description: Java bytecode engineering toolkit/library. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/java + website: https://www.javassist.org/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: jd-gui + name: jd-gui + aliases: [] + description: Visual Java decompiler with GUI — browse and search decompiled JAR/class + files + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - jd-gui + tags: + - java + - decompilation + - gui + description: Visual Java decompiler with GUI — browse and search decompiled + JAR/class files + salt_states: + covered: true + install_method: manual + package_name: jd-gui + salt_state_path: remnux/tools/jd-gui.sls + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: true + help_tier: rich +- id: jd-gui-java-decompiler + name: JD-GUI Java Decompiler + aliases: [] + description: Java decompiler with GUI. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Statically Analyze Code > Java + description: Java decompiler with GUI. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/java + website: https://java-decompiler.github.io/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: jq + name: jq + aliases: [] + description: Command-line JSON processor for extracting and transforming structured + data + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Command-line JSON processor for extracting and transforming structured + data + category: utilities + labs: + - '1.4' + sections: + - 1 + typical_usage: + - cat report.json | jq '.apis' + - jq -r '.entry' report.json + tags: + - json + - data-processing + salt_states: + covered: true + install_method: apt + package_name: jq + salt_state_path: remnux/packages/jq.sls + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: true + help_tier: rich +- id: js-beautify + name: js-beautify + aliases: [] + description: Format and beautify obfuscated JavaScript code for readability + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Format and beautify obfuscated JavaScript code for readability + category: javascript-analysis + labs: + - '3.6' + - '4.5' + sections: + - 3 + typical_usage: + - js-beautify malicious.js > beautified.js + tags: + - javascript + - formatting + - readability + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-jsbeautifier + salt_state_path: remnux/python3-packages/jsbeautifier.sls + remnux_docs: + covered: true + category: Statically Analyze Code > Scripts + description: Reformat JavaScript scripts for easier analysis. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts + website: https://beautifier.io/ + anchor: js-beautifier + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: jstillery + name: jstillery + aliases: + - remnux-node-packages-jstillery + - git+https://github.com/mindedsecurity/JStillery.git + description: Deobfuscate JavaScript scripts using AST and Partial Evaluation techniques. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: npm + package_name: remnux-node-packages-jstillery + salt_state_path: remnux/node-packages/jstillery.sls + remnux_docs: + covered: true + category: Dynamically Reverse-Engineer Code > Scripts + description: Deobfuscate JavaScript scripts using AST and Partial Evaluation + techniques. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + website: https://github.com/mindedsecurity/jstillery + anchor: jstillery + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: lame + name: lame + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: lame + salt_state_path: remnux/packages/lame.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libboost-dev + name: libboost-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libboost-dev + salt_state_path: remnux/packages/libboost-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libboost-python-dev + name: libboost-python-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libboost-python-dev + salt_state_path: remnux/packages/libboost-python-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libboost-system-dev + name: libboost-system-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libboost-system-dev + salt_state_path: remnux/packages/libboost-system-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libdpkg-perl + name: libdpkg-perl + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libdpkg-perl + salt_state_path: remnux/packages/libdpkg-perl.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libemail-outlook-message-perl + name: libemail-outlook-message-perl + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libemail-outlook-message-perl + salt_state_path: remnux/packages/libemail-outlook-message-perl.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libemu + name: libemu + aliases: + - libemu-dev + - ldconfig + description: A library for x86 code emulation and shellcode detection. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libemu + salt_state_path: remnux/packages/libemu.sls + remnux_docs: + covered: true + category: Dynamically Reverse-Engineer Code > Shellcode + description: A library for x86 code emulation and shellcode detection. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode + website: https://github.com/buffer/libemu + anchor: libemu + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: libffi-dev + name: libffi-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libffi-dev + salt_state_path: remnux/packages/libffi-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libfuse2 + name: libfuse2 + aliases: + - remnux-packages-libfuse2 + - libfuse2t64 + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-libfuse2 + salt_state_path: remnux/packages/libfuse2.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libfuzzy-dev + name: libfuzzy-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libfuzzy-dev + salt_state_path: remnux/packages/libfuzzy-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libfuzzy2 + name: libfuzzy2 + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libfuzzy2 + salt_state_path: remnux/packages/libfuzzy2.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libglib2 + name: libglib2 + aliases: + - remnux-packages-libglib2 + - libglib2.0-0t64 + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-libglib2 + salt_state_path: remnux/packages/libglib2.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libglu1-mesa-dev + name: libglu1-mesa-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libglu1-mesa-dev + salt_state_path: remnux/packages/libglu1-mesa-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libgraphviz-dev + name: libgraphviz-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libgraphviz-dev + salt_state_path: remnux/packages/libgraphviz-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libgtk-3-0 + name: libgtk-3-0 + aliases: + - remnux-packages-libgtk-3-0 + - libgtk-3-0t64 + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-libgtk-3-0 + salt_state_path: remnux/packages/libgtk-3-0.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libjavassist-java + name: libjavassist-java + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libjavassist-java + salt_state_path: remnux/packages/libjavassist-java.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libjpeg-dev + name: libjpeg-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libjpeg-dev + salt_state_path: remnux/packages/libjpeg-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libjpeg8-dev + name: libjpeg8-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libjpeg8-dev + salt_state_path: remnux/packages/libjpeg8-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: liblzma-dev + name: liblzma-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: liblzma-dev + salt_state_path: remnux/packages/liblzma-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: liblzo2-dev + name: liblzo2-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: liblzo2-dev + salt_state_path: remnux/packages/liblzo2-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libmagic-dev + name: libmagic-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libmagic-dev + salt_state_path: remnux/packages/libmagic-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libmysqlclient21 + name: libmysqlclient21 + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libmysqlclient21 + salt_state_path: remnux/packages/libmysqlclient21.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libncurses + name: libncurses + aliases: + - libncurses-dev + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libncurses + salt_state_path: remnux/packages/libncurses.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libnetfilter-queue-dev + name: libnetfilter-queue-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libnetfilter-queue-dev + salt_state_path: remnux/packages/libnetfilter-queue-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libnfnetlink-dev + name: libnfnetlink-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libnfnetlink-dev + salt_state_path: remnux/packages/libnfnetlink-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libolecf + name: libolecf + aliases: [] + description: Microsoft Office OLE2 compound documents. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libolecf + salt_state_path: remnux/packages/libolecf.sls + remnux_docs: + covered: true + category: Analyze Documents > Microsoft Office + description: Microsoft Office OLE2 compound documents. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + website: https://github.com/libyal/libolecf + anchor: libolecf + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: libpq5 + name: libpq5 + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libpq5 + salt_state_path: remnux/packages/libpq5.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libqt5scripttools5 + name: libqt5scripttools5 + aliases: + - remnux-package-libqt5scripttools5 + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-package-libqt5scripttools5 + salt_state_path: remnux/packages/libqt5scripttools5.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libre2 + name: libre2 + aliases: + - remnux-packages-libre2 + - libre2-10 + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-libre2 + salt_state_path: remnux/packages/libre2.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libsm6 + name: libsm6 + aliases: + - remnux-packages-libsm6 + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-libsm6 + salt_state_path: remnux/packages/libsm6.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libsqlite3-dev + name: libsqlite3-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libsqlite3-dev + salt_state_path: remnux/packages/libsqlite3-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libssl-dev + name: libssl-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libssl-dev + salt_state_path: remnux/packages/libssl-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libtool + name: libtool + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libtool + salt_state_path: remnux/packages/libtool.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libtre5 + name: libtre5 + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libtre5 + salt_state_path: remnux/packages/libtre5.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libusb-1 + name: libusb-1 + aliases: + - libusb-1.0-0 + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libusb-1.0-0 + salt_state_path: remnux/packages/libusb-1.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libxml2-dev + name: libxml2-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libxml2-dev + salt_state_path: remnux/packages/libxml2-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: libxslt1-dev + name: libxslt1-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: libxslt1-dev + salt_state_path: remnux/packages/libxslt1-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: lief + name: lief + aliases: + - remnux-python3-packages-lief + description: Parse and analyze PE, ELF, MachO, DEX, OAT, VDEX, ART, and DWARF executable + formats. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-lief + salt_state_path: remnux/python3-packages/lief.sls + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Parse and analyze PE, ELF, MachO, DEX, OAT, VDEX, ART, and DWARF + executable formats. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://lief.re + anchor: lief + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: linux-headers + name: linux-headers + aliases: + - linux-headers-generic + - remnux-packages-linux-headers + - linux-headers-{{ + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: linux-headers-generic + salt_state_path: remnux/packages/linux-headers.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: logman + name: logman + aliases: [] + description: Windows Event Trace session manager — enable AMSI script content logging + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Windows Event Trace session manager — enable AMSI script content + logging + category: powershell-analysis + labs: + - '3.6' + sections: + - 3 + typical_usage: + - logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl + -ets + - logman stop AMSITrace -ets + tags: + - amsi + - event-tracing + - monitoring + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: ltrace + name: ltrace + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: ltrace + salt_state_path: remnux/packages/ltrace.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: magika + name: magika + aliases: + - remnux-python3-packages-magika-install + description: Identify file type using signatures. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-magika-install + salt_state_path: remnux/python3-packages/magika.sls + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Identify file type using signatures. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://google.github.io/magika + anchor: magika + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: mail-parser + name: mail-parser + aliases: + - remnux-python3-packages-mail-parser + description: Parse raw SMTP email messages and extract headers, body, and attachments + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - python3 -c "import mailparser; mail = mailparser.parse_from_file(''); + print(mail.subject)" + tags: + - email + - parsing + - attachments + description: Parse raw SMTP email messages and extract headers, body, and attachments + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-mail-parser + salt_state_path: remnux/python3-packages/mail-parser.sls + remnux_docs: + covered: true + category: Analyze Documents > Email Messages + description: Parse raw SMTP and. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages + website: https://github.com/SpamScope/mail-parser + anchor: mail-parser + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: malcat + name: malcat + aliases: + - remnux-tools-malcat-pip-deps + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: manual + package_name: remnux-tools-malcat-pip-deps + salt_state_path: remnux/tools/malcat.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: malcat-lite + name: Malcat Lite + aliases: [] + description: Analyze binary files using a hex editor, disassembler, and file dissector. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Analyze binary files using a hex editor, disassembler, and file + dissector. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://malcat.fr + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: malchive + name: Malchive + aliases: [] + description: Multi-purpose malware analysis library — config extraction, deobfuscation, + and static analysis + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - malchive + tags: + - malware + - config-extraction + - deobfuscation + description: Multi-purpose malware analysis library — config extraction, deobfuscation, + and static analysis + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Perform static analysis of various aspects of malicious code. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://github.com/MITRECND/malchive + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: malwarebazaar + name: MalwareBazaar + aliases: [] + description: Malware sample sharing platform by abuse.ch + in_remnux: false + platform: online + sources: + for610: + covered: true + description: Malware sample sharing platform by abuse.ch + category: online-platforms + labs: [] + sections: + - 1 + typical_usage: + - https://bazaar.abuse.ch + tags: + - sample-sharing + - repository + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: malwoverview + name: malwoverview + aliases: + - remnux-python3-packages-malwoverview-install + description: Query VirusTotal, Hybrid Analysis, and MalwareBazaar for malware intelligence + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - malwoverview -v + - malwoverview -f + tags: + - threat-intel + - virustotal + - malware-bazaar + description: Query VirusTotal, Hybrid Analysis, and MalwareBazaar for malware + intelligence + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-malwoverview-install + salt_state_path: remnux/python3-packages/malwoverview.sls + remnux_docs: + covered: true + category: Gather and Analyze Data + description: Query public repositories of malware data (e. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + website: https://github.com/alexandreborges/malwoverview + anchor: malwoverview + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: manalyze + name: manalyze + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: manalyze + salt_state_path: remnux/packages/manalyze.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: mbcscan + name: mbcscan + aliases: [] + description: Scan a PE file to list the associated Malware Behavior Catalog (MBC) + details. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Statically Analyze Code > PE Files + description: Scan a PE file to list the associated Malware Behavior Catalog + (MBC) details. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files + website: https://github.com/accidentalrebel/mbcscan + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: mercurial + name: mercurial + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: mercurial + salt_state_path: remnux/packages/mercurial.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: microsoft + name: microsoft + aliases: + - deb + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: deb + salt_state_path: remnux/repos/winehq.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: microsoft-vscode + name: microsoft-vscode + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: microsoft-vscode + salt_state_path: remnux/repos/microsoft-vscode.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: mitmproxy + name: mitmproxy + aliases: [] + description: Interactive HTTPS proxy for intercepting, inspecting, and modifying + encrypted web traffic + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - mitmproxy + - mitmdump -w capture.flow + - mitmproxy --mode transparent + tags: + - network + - https + - proxy + - tls + - interception + description: Interactive HTTPS proxy for intercepting, inspecting, and modifying + encrypted web traffic + salt_states: + covered: false + remnux_docs: + covered: true + category: Explore Network Interactions > Monitoring + description: Investigate website interactions using this web proxy. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + website: https://mitmproxy.org + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: mono + name: mono + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: mono + salt_state_path: remnux/repos/mono.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: mono-devel + name: mono-devel + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: mono-devel + salt_state_path: remnux/packages/mono-devel.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: mono-utils + name: mono-utils + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: mono-utils + salt_state_path: remnux/packages/mono-utils.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: monodis + name: monodis + aliases: [] + description: Disassemble and extract resources from. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > .NET + description: Disassemble and extract resources from. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/.net + website: https://www.mono-project.com/docs/tools+libraries/tools/monodis/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: msg-extractor + name: msg-extractor + aliases: + - remnux-python3-packages-extract-msg + - extract_msg + description: Extract emails and attachments from Microsoft Outlook MSG files + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - extract_msg + - extract_msg --out-dir output/ + tags: + - email + - msg + - outlook + - attachments + description: Extract emails and attachments from Microsoft Outlook MSG files + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-extract-msg + salt_state_path: remnux/python3-packages/msg-extractor.sls + remnux_docs: + covered: true + category: Analyze Documents > Email Messages + description: Extract emails and attachments from MSG files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages + website: https://github.com/TeamMsgExtractor/msg-extractor + anchor: msg-extractor + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: msgconvert + name: msgconvert + aliases: [] + description: Convert MSG files to MBOX files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Analyze Documents > Email Messages + description: Convert MSG files to MBOX files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages + website: https://www.matijs.net/software/msgconv/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: msitools + name: msitools + aliases: [] + description: Create, inspect and extract Windows Installer (. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: msitools + salt_state_path: remnux/packages/msitools.sls + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Create, inspect and extract Windows Installer (. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://wiki.gnome.org/msitools + anchor: msitools + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: msoffcrypto-crack-py + name: msoffcrypto-crack.py + aliases: [] + description: Recover the password of an encrypted Microsoft Office document. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Analyze Documents > Microsoft Office + description: Recover the password of an encrypted Microsoft Office document. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + website: https://blog.didierstevens.com/2018/12/31/new-tool-msoffcrypto-crack-py/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: msoffcrypto-tool + name: msoffcrypto-tool + aliases: + - remnux-python3-packages-msoffcrypto-tool + description: Decrypt password-protected Microsoft Office documents (OLE and OOXML) + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - msoffcrypto-tool -p infected + - msoffcrypto-tool -p password + tags: + - office + - decryption + - password + description: Decrypt password-protected Microsoft Office documents (OLE and + OOXML) + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-msoffcrypto-tool + salt_state_path: remnux/python3-packages/msoffcrypto-tool.sls + remnux_docs: + covered: true + category: Analyze Documents > Microsoft Office + description: Decrypt a Microsoft Office file with password, intermediate key, + or private key which generated its escrow key. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + website: https://github.com/nolze/msoffcrypto-tool + anchor: msoffcrypto-tool + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: msoffice-crypt + name: msoffice-crypt + aliases: [] + description: Encrypt and decrypt OOXML Microsoft Office documents. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: msoffice-crypt + salt_state_path: remnux/packages/msoffice-crypt.sls + remnux_docs: + covered: true + category: Analyze Documents > Microsoft Office + description: Encrypt and decrypt OOXML Microsoft Office documents. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + website: https://github.com/herumi/msoffice + anchor: msoffice-crypt + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: myip + name: myip + aliases: [] + description: Determine the IP address of the default network interface. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: script + package_name: myip + salt_state_path: remnux/scripts/myip.sls + remnux_docs: + covered: true + category: General Utilities + description: Determine the IP address of the default network interface. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + website: https://github.com/REMnux/distro/blob/master/files/myip + anchor: myip + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: myjson-filter-py + name: myjson-filter.py + aliases: [] + description: Filter data formatted using the JSON format used by Didier Stevens' + tools. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: General Utilities + description: Filter data formatted using the JSON format used by Didier Stevens' + tools. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + website: https://blog.didierstevens.com/2022/04/09/new-tool-myjson-filter-py/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: mynic + name: mynic + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: script + package_name: mynic + salt_state_path: remnux/scripts/mynic.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: name-that-hash + name: name-that-hash + aliases: + - remnux-python3-packages-name-that-hash-install + - nth + description: Identify dfferent types of hashes. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-name-that-hash-install + salt_state_path: remnux/python3-packages/name-that-hash.sls + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Identify dfferent types of hashes. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://github.com/HashPals/Name-That-Hash + anchor: name-that-hash + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: nano + name: nano + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: nano + salt_state_path: remnux/packages/nano.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: nasm + name: nasm + aliases: [] + description: An x86-64 assembler. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: nasm + salt_state_path: remnux/packages/nasm.sls + remnux_docs: + covered: true + category: General Utilities + description: An x86-64 assembler. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + website: https://www.nasm.us + anchor: nasm + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: nautilus + name: nautilus + aliases: [] + description: Graphical file manager. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: nautilus + salt_state_path: remnux/packages/nautilus.sls + remnux_docs: + covered: true + category: General Utilities + description: Graphical file manager. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + website: https://gitlab.gnome.org/GNOME/nautilus + anchor: nautilus + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: ndg-httpsclient + name: ndg-httpsclient + aliases: + - remnux-python3-packages-ndg-httpsclient + - ndg_httpclient + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-ndg-httpsclient + salt_state_path: remnux/python3-packages/ndg-httpsclient.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: net-tools + name: net-tools + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: net-tools + salt_state_path: remnux/packages/net-tools.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: netcat + name: nc + aliases: + - netcat + description: Network utility for reading/writing data across TCP/UDP connections + in_remnux: true + platform: both + sources: + for610: + covered: true + description: Network utility for reading/writing data across TCP/UDP connections + category: network-analysis + labs: [] + sections: + - 1 + typical_usage: + - nc -l -p 3127 + - nc target_ip 80 + tags: + - network + - tcp + - listener + salt_states: + covered: true + install_method: apt + package_name: netcat-traditional + salt_state_path: remnux/packages/netcat.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Connecting + description: Read and write data across network connections. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + website: https://nc110.sourceforge.io/ + anchor: netcat + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: network-miner-free-edition + name: Network Miner Free Edition + aliases: [] + description: Examine network traffic and carve PCAP capture files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Explore Network Interactions > Monitoring + description: Examine network traffic and carve PCAP capture files. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + website: https://www.netresec.com + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: networkminer + name: networkminer + aliases: [] + description: Passive network traffic analyzer — extracts files, images, credentials + from PCAP captures + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - NetworkMiner --pcap + tags: + - network + - pcap + - file-carving + - passive + description: Passive network traffic analyzer — extracts files, images, credentials + from PCAP captures + salt_states: + covered: true + install_method: manual + package_name: networkminer + salt_state_path: remnux/tools/networkminer.sls + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: true + help_tier: rich +- id: nginx + name: nginx + aliases: [] + description: Web server. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: nginx + salt_state_path: remnux/config/nginx.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Services + description: Web server. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services + website: https://nginx.org + anchor: nginx + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: ngrep + name: ngrep + aliases: [] + description: Search network traffic for patterns — like grep for packets + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - ngrep -I 'password' + - ngrep -d eth0 'GET|POST' 'tcp port 80' + tags: + - network + - search + - pattern-matching + description: Search network traffic for patterns — like grep for packets + salt_states: + covered: true + install_method: apt + package_name: ngrep + salt_state_path: remnux/packages/ngrep.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Monitoring + description: Look for patterns in network traffic. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + website: https://github.com/jpr5/ngrep/ + anchor: ngrep + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: nodejs + name: nodejs + aliases: + - remnux-packages-nodejs + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: npm + package_name: remnux-packages-nodejs + salt_state_path: remnux/packages/nodejs.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: nomorexor + name: nomorexor + aliases: + - nomorexor.py + description: Help guess a file's 256-byte XOR by using frequency analysis. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: script + package_name: nomorexor.py + salt_state_path: remnux/scripts/nomorexor.sls + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Help guess a file's 256-byte XOR by using frequency analysis. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://github.com/digitalsleuth/NoMoreXOR + anchor: nomorexor.py + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: notepadpp + name: Notepad++ + aliases: [] + description: Advanced Windows text editor with syntax highlighting for script analysis + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Advanced Windows text editor with syntax highlighting for script + analysis + category: utilities + labs: + - '3.6' + - '3.8' + - '3.9' + - '3.10' + - '3.11' + - '3.12' + - '4.5' + sections: + - 3 + - 4 + typical_usage: + - notepad++ script.ps1 + tags: + - editor + - windows + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: nslookup + name: nslookup + aliases: [] + description: DNS query tool for testing name resolution + in_remnux: true + platform: both + sources: + for610: + covered: true + description: DNS query tool for testing name resolution + category: network-analysis + labs: + - '1.3' + sections: + - 1 + typical_usage: + - nslookup domain.com + tags: + - dns + - testing + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: nsrllookup + name: nsrllookup + aliases: [] + description: Look up MD5 file hashes in the NIST National Software Reference Library + (NSRL). + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Gather and Analyze Data + description: Look up MD5 file hashes in the NIST National Software Reference + Library (NSRL). + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + website: https://github.com/rjhansen/nsrllookup + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: numbers-to-string-py + name: numbers-to-string.py + aliases: [] + description: Convert sequences of decimal numbers to readable characters + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Convert sequences of decimal numbers to readable characters + category: document-analysis + labs: + - '3.3' + sections: + - 3 + typical_usage: + - oledump.py doc.docm -s A3 -v | numbers-to-string.py -j + tags: + - decoding + - deobfuscation + - didier-stevens + author: Didier Stevens + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Convert decimal numbers to strings. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://blog.didierstevens.com/2020/12/12/update-numbers-to-string-py-version-0-0-11/ + anchor: numbers-to-string + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: objdump + name: objdump + aliases: [] + description: Disassemble binary files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Statically Analyze Code > General + description: Disassemble binary files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/general + website: https://en.wikipedia.org/wiki/Objdump + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: objects-js + name: objects.js + aliases: [] + description: Emulate common browser and PDF viewer objects, methods, and properties + when deobfuscating JavaScript. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Dynamically Reverse-Engineer Code > Scripts + description: Emulate common browser and PDF viewer objects, methods, and properties + when deobfuscating JavaScript. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + website: https://github.com/REMnux/salt-states/blob/master/remnux/config/objects/objects.js + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: oledump-py + name: oledump.py + aliases: + - oledump + description: Analyze OLE2 files (Office documents), extract streams and VBA macros + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Analyze OLE2 files (Office documents), extract streams and VBA + macros + category: document-analysis + labs: + - '3.3' + - '3.4' + - '4.5' + sections: + - 3 + - 4 + typical_usage: + - oledump.py document.docm + - oledump.py document.docm -s A3 -v + - oledump.py document.docm -i + tags: + - office + - vba + - macro + - ole + - didier-stevens + author: Didier Stevens + salt_states: + covered: false + remnux_docs: + covered: true + category: Analyze Documents > Microsoft Office + description: Analyze OLE2 Structured Storage files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + website: https://blog.didierstevens.com/programs/oledump-py/ + anchor: oledump.py + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: olefile + name: olefile + aliases: + - remnux-python3-packages-olefile-package + - python3-olefile + description: Python package to parse, read and write MS OLE2 files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-olefile-package + salt_state_path: remnux/python3-packages/olefile.sls + remnux_docs: + covered: true + category: Analyze Documents > Microsoft Office + description: Python package to parse, read and write MS OLE2 files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + website: https://github.com/decalage2/olefile + anchor: olefile + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: olevba + name: olevba + aliases: [] + description: Extract and analyze VBA macros from Office documents with deobfuscation + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Extract and analyze VBA macros from Office documents with deobfuscation + category: document-analysis + labs: [] + sections: + - 3 + typical_usage: + - olevba document.docm + - olevba --deobf document.docm + tags: + - office + - vba + - macro + - deobfuscation + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-oletools + salt_state_path: remnux/python3-packages/oletools.sls + remnux_docs: + covered: true + category: Analyze Documents > Microsoft Office + description: Microsoft Office OLE2 compound documents. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + website: https://www.decalage.info/python/oletools + anchor: oletools + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: ollydbg + name: OllyDbg + aliases: [] + description: Classic 32-bit debugger for Windows (legacy, predecessor to x32dbg) + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Classic 32-bit debugger for Windows (legacy, predecessor to x32dbg) + category: debugging + labs: [] + sections: + - 4 + - 5 + typical_usage: + - ollydbg.exe specimen.exe + tags: + - debugger + - 32-bit + - legacy + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: ollydumpex + name: OllyDumpEx + aliases: [] + description: x64dbg/x32dbg plugin for dumping unpacked process memory to disk + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: x64dbg/x32dbg plugin for dumping unpacked process memory to disk + category: unpacking + labs: + - '4.3' + - '5.4' + - '5.8' + sections: + - 4 + - 5 + typical_usage: + - Plugins > OllyDumpEx > Dump process + tags: + - memory-dump + - x64dbg-plugin + - unpacking + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: onedump-py + name: onedump.py + aliases: [] + description: Extract and analyze embedded files from OneNote documents. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Analyze Documents > Microsoft Office + description: Extract and analyze embedded files from OneNote documents. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + website: https://blog.didierstevens.com/2023/01/22/new-tool-onedump-py/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: opencode + name: opencode + aliases: [] + description: Open-source AI coding agent for the terminal. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: opencode + salt_state_path: remnux/config/opencode.sls + remnux_docs: + covered: true + category: Use Artificial Intelligence + description: Open-source AI coding agent for the terminal. + docs_url: https://docs.remnux.org/discover-the-tools/use+artificial+intelligence + website: https://opencode.ai + anchor: opencode + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: openjdk + name: openjdk + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: openjdk + salt_state_path: remnux/repos/openjdk.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: openssh + name: openssh + aliases: + - openssh-client + - openssh-server + description: Initiate and receive SSH and SFTP connections. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: openssh-client + salt_state_path: remnux/packages/openssh.sls + remnux_docs: + covered: true + category: General Utilities + description: Initiate and receive SSH and SFTP connections. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + website: https://www.openssh.com + anchor: openssh + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: openssl + name: openssl + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: openssl + salt_state_path: remnux/packages/openssl.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: origami + name: origamindee + aliases: + - origami + - therubyracer + description: Parse, modify, generate PDF files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: gem + package_name: origamindee + salt_state_path: remnux/rubygems/origamindee.sls + remnux_docs: + covered: true + category: Analyze Documents > PDF + description: Parse, modify, generate PDF files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + website: https://github.com/mindee/origamindee + anchor: origamindee + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: osarch + name: osarch + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: osarch + salt_state_path: remnux/osarch.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: otx + name: Open Threat Exchange + aliases: + - OTX + - LevelBlue Labs + description: Threat intelligence sharing platform for indicators of compromise + in_remnux: false + platform: online + sources: + for610: + covered: true + description: Threat intelligence sharing platform for indicators of compromise + category: online-platforms + labs: [] + sections: + - 1 + typical_usage: + - https://otx.alienvault.com + tags: + - threat-intel + - ioc-sharing + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: pcode2code + name: pcode2code + aliases: + - remnux-python3-packages-pcode2code + description: Decompile VBA p-code from Office documents — works even when VBA source + is removed + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - pcode2code + tags: + - office + - vba + - p-code + - decompilation + description: Decompile VBA p-code from Office documents — works even when VBA + source is removed + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-pcode2code + salt_state_path: remnux/python3-packages/pcode2code.sls + remnux_docs: + covered: true + category: Analyze Documents > Microsoft Office + description: Decompile VBA macro p-code from Microsoft Office documents. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + website: https://github.com/Big5-sec/pcode2code + anchor: pcode2code + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: pcodedmp + name: pcodedmp + aliases: + - remnux-python3-packages-pcodedmp + description: Disassemble VBA p-code. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-pcodedmp + salt_state_path: remnux/python3-packages/pcodedmp.sls + remnux_docs: + covered: true + category: Analyze Documents > Microsoft Office + description: Disassemble VBA p-code. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + website: https://github.com/bontchev/pcodedmp + anchor: pcodedmp + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: pdf-parser-py + name: pdf-parser.py + aliases: + - pdf-parser + description: Parse PDF structure, locate objects, extract content, and search for + strings + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Parse PDF structure, locate objects, extract content, and search + for strings + category: pdf-analysis + labs: + - '3.1' + sections: + - 1 + - 3 + typical_usage: + - pdf-parser.py document.pdf -a + - pdf-parser.py document.pdf -s /URI + - pdf-parser.py document.pdf -k /URI + - pdf-parser.py document.pdf -o 6 -d object6.jpg + tags: + - pdf + - static-analysis + - object-extraction + - didier-stevens + author: Didier Stevens + salt_states: + covered: false + remnux_docs: + covered: true + category: Analyze Documents > PDF + description: Examine elements of the PDF file. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + website: https://blog.didierstevens.com/programs/pdf-tools/ + anchor: pdf-parser.py + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: pdfid-py + name: pdfid.py + aliases: + - pdfid + description: Scan PDF files for suspicious keywords like /JavaScript, /OpenAction, + /Launch without parsing + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Scan PDF files for suspicious keywords like /JavaScript, /OpenAction, + /Launch without parsing + category: pdf-analysis + labs: + - '3.1' + sections: + - 1 + - 3 + typical_usage: + - pdfid.py document.pdf + - pdfid.py -n document.pdf + tags: + - pdf + - static-analysis + - triage + - didier-stevens + author: Didier Stevens + salt_states: + covered: false + remnux_docs: + covered: true + category: Analyze Documents > PDF + description: Identify suspicious elements of the PDF file. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + website: https://blog.didierstevens.com/programs/pdf-tools/ + anchor: pdfid.py + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: pdfresurrect + name: pdfresurrect + aliases: [] + description: Extract and analyze previous versions from PDF files + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Extract and analyze previous versions from PDF files + category: pdf-analysis + labs: [] + sections: + - 1 + typical_usage: + - pdfresurrect document.pdf + tags: + - pdf + - versioning + salt_states: + covered: true + install_method: apt + package_name: pdfresurrect + salt_state_path: remnux/packages/pdfresurrect.sls + remnux_docs: + covered: true + category: Analyze Documents > PDF + description: Extract previous versions of content from PDF files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + website: https://github.com/enferex/pdfresurrect + anchor: pdfresurrect + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: pdftk + name: pdftk + aliases: [] + description: Manipulate PDF files — merge, split, flatten, encrypt, and extract + embedded content + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Manipulate PDF files — merge, split, flatten, encrypt, and extract + embedded content + category: pdf-analysis + labs: [] + sections: + - 3 + typical_usage: + - pdftk input.pdf cat output output.pdf flatten + - pdftk input.pdf unpack_files + tags: + - pdf + - manipulation + - extraction + salt_states: + covered: true + install_method: apt + package_name: pdftk-java + salt_state_path: remnux/packages/pdftk-java.sls + remnux_docs: + covered: true + category: Analyze Documents > PDF + description: Edit, create, and examine PDF files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + website: https://gitlab.com/pdftk-java/pdftk + anchor: pdftk-java + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: pdftool-py + name: pdftool.py + aliases: [] + description: Analyze PDF incremental updates + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Analyze PDF incremental updates + category: pdf-analysis + labs: [] + sections: + - 1 + typical_usage: + - pdftool.py document.pdf + tags: + - pdf + - didier-stevens + author: Didier Stevens + salt_states: + covered: false + remnux_docs: + covered: true + category: Analyze Documents > PDF + description: Analyze PDF files to identify incremental updates to the document. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + website: https://blog.didierstevens.com/2021/01/31/new-tool-pdftool-py/ + anchor: pdftool.py + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: pdnstool + name: pdnstool + aliases: + - sqlite3-gem + - passivedns-client + - sqlite3 + description: Query passive DNS databases for DNS data. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-sqlite + salt_state_path: remnux/packages/sqlite.sls + remnux_docs: + covered: true + category: Gather and Analyze Data + description: Query passive DNS databases for DNS data. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + website: https://github.com/chrislee35/passivedns-client + anchor: pdnstool + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: pe-tree + name: pe-tree + aliases: + - remnux-python3-packages-pe-tree + - pe_tree + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-pe-tree + salt_state_path: remnux/python3-packages/pe-tree.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: pe-unmapper + name: pe_unmapper + aliases: [] + description: Convert dumped PE from virtual memory alignment to raw disk alignment + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Convert dumped PE from virtual memory alignment to raw disk alignment + category: unpacking + labs: + - '5.10' + sections: + - 5 + typical_usage: + - pe_unmapper /in dumped.exe /base 400000 /out fixed.exe + tags: + - pe-fixup + - memory-dump + - alignment + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: pedump + name: pedump + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: gem + package_name: pedump + salt_state_path: remnux/rubygems/pedump.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: peepdf + name: peepdf + aliases: [] + description: Interactive PDF analysis framework with JavaScript detection and exploitation + capabilities + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Interactive PDF analysis framework with JavaScript detection and + exploitation capabilities + category: pdf-analysis + labs: [] + sections: + - 1 + typical_usage: + - peepdf -i malicious.pdf + - peepdf -f -i malicious.pdf + tags: + - pdf + - interactive + - javascript-detection + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-peepdf-3 + salt_state_path: remnux/python3-packages/peepdf-3.sls + remnux_docs: + covered: true + category: Analyze Documents > PDF + description: Examine elements of the PDF file. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + website: https://github.com/digitalsleuth/peepdf-3 + anchor: peepdf-3 + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: peframe + name: peframe + aliases: [] + description: Static analysis of PE files — extract properties, detect anomalies, + identify packers + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Static analysis of PE files — extract properties, detect anomalies, + identify packers + category: static-analysis-pe + labs: + - '1.1' + - '4.8' + sections: + - 1 + - 4 + typical_usage: + - peframe specimen.exe + tags: + - pe + - static-analysis + - triage + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-peframe + salt_state_path: remnux/python3-packages/peframe.sls + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: true + help_tier: rich +- id: perl + name: perl + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: perl + salt_state_path: remnux/packages/perl.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: pestr + name: pestr + aliases: [] + description: Extract ASCII and Unicode strings from PE files + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Extract ASCII and Unicode strings from PE files + category: static-analysis-pe + labs: + - '1.1' + - '4.8' + sections: + - 1 + - 4 + typical_usage: + - pestr specimen.exe + tags: + - pe + - strings + - static-analysis + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: pestudio + name: PeStudio + aliases: [] + description: GUI tool for examining static properties of PE files — imports, strings, + sections, entropy, indicators + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: GUI tool for examining static properties of PE files — imports, + strings, sections, entropy, indicators + category: static-analysis-pe + labs: + - '1.1' + - '1.5' + - '2.7' + - '3.10' + - '3.12' + - '4.1' + - '4.2' + - '4.3' + - '4.7' + - '4.8' + - '5.3' + - '5.4' + - '5.8' + - '5.9' + - '5.10' + sections: + - 1 + - 2 + - 3 + - 4 + - 5 + typical_usage: + - pestudio.exe specimen.exe + tags: + - pe + - static-analysis + - imports + - strings + - entropy + - triage + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: pgadmin + name: pgadmin + aliases: + - remnux-packages-pgadmin4 + - pgadmin4-desktop + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: deb + salt_state_path: remnux/repos/pgadmin4.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: pip + name: pip + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: pip + salt_state_path: remnux/python3-packages/pip.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: pkg-config + name: pkg-config + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: pkg-config + salt_state_path: remnux/packages/pkg-config.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: polarproxy + name: polarproxy + aliases: [] + description: Transparent TLS proxy that decrypts traffic and saves it as PCAP for + analysis in Wireshark + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - PolarProxy -p 443,80 -w captured.pcap + tags: + - network + - tls + - decryption + - pcap + description: Transparent TLS proxy that decrypts traffic and saves it as PCAP + for analysis in Wireshark + salt_states: + covered: true + install_method: manual + package_name: polarproxy + salt_state_path: remnux/tools/polarproxy.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Monitoring + description: Intercept and decrypt TLS traffic. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + website: https://www.netresec.com + anchor: polarproxy + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: portex + name: portex + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: portex + salt_state_path: remnux/packages/portex.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: powershell + name: powershell + aliases: [] + description: Run PowerShell scripts and commands. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: powershell + salt_state_path: remnux/packages/powershell.sls + remnux_docs: + covered: true + category: Dynamically Reverse-Engineer Code > Scripts + description: Run PowerShell scripts and commands. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + website: https://github.com/powershell/powershell + anchor: powershell-core + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: powershell-ise + name: PowerShell ISE + aliases: + - powershell_ise + description: PowerShell Integrated Scripting Environment — debug scripts with breakpoints + and variable inspection + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: PowerShell Integrated Scripting Environment — debug scripts with + breakpoints and variable inspection + category: powershell-analysis + labs: + - '3.9' + - '3.11' + - '4.5' + sections: + - 3 + - 4 + typical_usage: + - powershell_ise script.ps1 + tags: + - powershell + - debugger + - script-analysis + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: prefer-ipv4 + name: prefer-ipv4 + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: prefer-ipv4 + salt_state_path: remnux/network/prefer-ipv4.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: procdot + name: ProcDOT + aliases: [] + description: Visualize Process Monitor logs as interactive graphs for behavioral + analysis + in_remnux: true + platform: both + sources: + for610: + covered: true + description: Visualize Process Monitor logs as interactive graphs for behavioral + analysis + category: behavioral-analysis + labs: + - '1.2' + - '4.5' + sections: + - 1 + - 4 + typical_usage: + - procdot + tags: + - visualization + - process-monitor + - behavioral + salt_states: + covered: false + remnux_docs: + covered: true + category: Investigate System Interactions + description: Visualize and examine the output of Process Monitor. + docs_url: https://docs.remnux.org/discover-the-tools/investigate+system+interactions + website: https://www.procdot.com + anchor: procdot + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: process-monitor + name: Process Monitor + aliases: + - ProcMon + - procmon + description: Record file system, registry, process, and thread activity in real + time + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Record file system, registry, process, and thread activity in real + time + category: behavioral-analysis + labs: + - '1.2' + - '4.5' + sections: + - 1 + - 4 + typical_usage: + - Procmon.exe + tags: + - filesystem + - registry + - process-monitoring + - real-time + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: procyon + name: Procyon + aliases: [] + description: Java decompiler. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Statically Analyze Code > Java + description: Java decompiler. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/java + website: https://github.com/mstrobel/procyon + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: procyon-decompiler + name: procyon-decompiler + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: procyon-decompiler + salt_state_path: remnux/packages/procyon-decompiler.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: protobuf + name: protobuf + aliases: + - remnux-python3-packages-protobuf-install + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-protobuf-install + salt_state_path: remnux/python3-packages/protobuf.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: pycdc + name: pycdc + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: pycdc + salt_state_path: remnux/packages/pycdc.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: pyelftools + name: pyelftools + aliases: + - remnux-python3-packages-pyelftools + - readelf.py + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-pyelftools + salt_state_path: remnux/python3-packages/pyelftools.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: pyinstaller-extractor + name: pyinstaller-extractor + aliases: + - pyinstxtractor.py + description: Extract contents of a PyInstaller-generated PE files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: script + package_name: pyinstxtractor.py + salt_state_path: remnux/scripts/pyinstaller-extractor.sls + remnux_docs: + covered: true + category: Statically Analyze Code > Python + description: Extract contents of a PyInstaller-generated PE files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/python + website: https://github.com/extremecoders-re/pyinstxtractor + anchor: pyinstaller-extractor + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: pyinstxtractor-ng + name: pyinstxtractor-ng + aliases: + - remnux-python3-packages-pyinstxtractor-ng + description: Extract contents of PyInstaller-generated executables without needing + matching Python version + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - pyinstxtractor-ng + tags: + - python + - pyinstaller + - extraction + description: Extract contents of PyInstaller-generated executables without needing + matching Python version + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-pyinstxtractor-ng + salt_state_path: remnux/python3-packages/pyinstxtractor-ng.sls + remnux_docs: + covered: true + category: Statically Analyze Code > Python + description: Extract contents of PyInstaller-generated executables without requiring + a matching Python version. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/python + website: https://github.com/pyinstxtractor/pyinstxtractor-ng + anchor: pyinstxtractor-ng + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: python-debian + name: python-debian + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: python-debian + salt_state_path: remnux/python3-packages/python-debian.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3 + name: python3 + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: python3 + salt_state_path: remnux/packages/python3.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3-cryptography + name: python3-cryptography + aliases: + - remnux-packages-python3-cryptography + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-python3-cryptography + salt_state_path: remnux/packages/python3-cryptography.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3-dev + name: python3-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: python3-dev + salt_state_path: remnux/packages/python3-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3-dnspython + name: python3-dnspython + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: python3-dnspython + salt_state_path: remnux/packages/python3-dnspython.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3-magic + name: python3-magic + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: python3-magic + salt_state_path: remnux/packages/python3-magic.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3-netifaces + name: python3-netifaces + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: python3-netifaces + salt_state_path: remnux/packages/python3-netifaces.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3-numpy + name: python3-numpy + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: python3-numpy + salt_state_path: remnux/packages/python3-numpy.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3-pil + name: python3-pil + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: python3-pil + salt_state_path: remnux/packages/python3-pil.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3-pip + name: python3-pip + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: python3-pip + salt_state_path: remnux/packages/python3-pip.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3-pyasn1 + name: python3-pyasn1 + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: python3-pyasn1 + salt_state_path: remnux/packages/python3-pyasn1.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3-pyqt5 + name: python3-pyqt5 + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: python3-pyqt5 + salt_state_path: remnux/packages/python3-pyqt5.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3-requests + name: python3-requests + aliases: + - remnux-packages-python3-requests + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-python3-requests + salt_state_path: remnux/packages/python3-requests.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3-setuptools + name: python3-setuptools + aliases: + - remnux-packages-python3-setuptools + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-python3-setuptools + salt_state_path: remnux/packages/python3-setuptools.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3-ssdeep + name: python3-ssdeep + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: python3-ssdeep + salt_state_path: remnux/packages/python3-ssdeep.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3-tk + name: python3-tk + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: python3-tk + salt_state_path: remnux/packages/python3-tk.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3-venv + name: python3-venv + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: python3-venv + salt_state_path: remnux/packages/python3-venv.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3-virtualenv + name: python3-virtualenv + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: python3-virtualenv + salt_state_path: remnux/packages/python3-virtualenv.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: python3-wheel + name: python3-wheel + aliases: + - remnux-packages-python3-wheel + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-python3-wheel + salt_state_path: remnux/packages/python3-wheel.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: qiling + name: qiling + aliases: + - remnux-python3-packages-qiling + - qltool + description: Multi-platform binary emulation framework — emulate PE, ELF, shellcode + across OS/arch combinations + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - python3 -c "from qiling import Qiling; ql = Qiling([''], '/path/to/rootfs')" + tags: + - emulation + - multi-platform + - binary-analysis + description: Multi-platform binary emulation framework — emulate PE, ELF, shellcode + across OS/arch combinations + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-qiling + salt_state_path: remnux/python3-packages/qiling.sls + remnux_docs: + covered: true + category: Statically Analyze Code > General + description: Emulate code execution of PE files, shellcode, etc. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/general + website: https://www.qiling.io + anchor: qiling + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: qpdf + name: qpdf + aliases: [] + description: Decrypt, linearize, and transform PDF files — useful for removing password + protection + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Decrypt, linearize, and transform PDF files — useful for removing + password protection + category: pdf-analysis + labs: [] + sections: + - 3 + typical_usage: + - qpdf --decrypt encrypted.pdf output.pdf + tags: + - pdf + - decryption + - transformation + salt_states: + covered: true + install_method: apt + package_name: qpdf + salt_state_path: remnux/packages/qpdf.sls + remnux_docs: + covered: true + category: Analyze Documents > PDF + description: Manipulate (merge, convert, transform) PDF files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/pdf + website: http://qpdf.sourceforge.net/ + anchor: qpdf + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: qtbase5-dev + name: qtbase5-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: qtbase5-dev + salt_state_path: remnux/packages/qtbase5-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: radare2 + name: radare2 + aliases: + - r2 + description: Open-source reverse engineering command-line framework + in_remnux: true + platform: both + sources: + for610: + covered: true + description: Open-source reverse engineering command-line framework + category: code-analysis + labs: [] + sections: + - 2 + typical_usage: + - r2 specimen.exe + tags: + - disassembly + - cli + - open-source + salt_states: + covered: true + install_method: apt + package_name: remnux-radare2 + salt_state_path: remnux/packages/radare2.sls + remnux_docs: + covered: true + category: Dynamically Reverse-Engineer Code > General + description: Examine binary files, including disassembling and debugging. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general + website: https://www.radare.org/n/radare2.html + anchor: radare2 + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: rar + name: rar + aliases: + - unrar + description: Extract RAR archives (including self-extracting RAR payloads) + in_remnux: true + platform: both + sources: + for610: + covered: true + description: Extract RAR archives (including self-extracting RAR payloads) + category: utilities + labs: + - '3.5' + sections: + - 3 + typical_usage: + - rar x archive.rar + tags: + - archive + - extraction + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-unrar + salt_state_path: remnux/packages/unrar.sls + remnux_docs: + covered: true + category: General Utilities + description: Decompress files using a variety of algorithms. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + website: https://www.rarlab.com + anchor: unrar-free + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: re-search-py + name: re-search.py + aliases: [] + description: Search the file for built-in regular expressions of common suspicious + artifacts. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Search the file for built-in regular expressions of common suspicious + artifacts. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://blog.didierstevens.com/2021/05/23/update-re-search-py-version-0-0-17/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: readpe + name: pev + aliases: + - remnux-packages-pev + - readpe + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-pev + salt_state_path: remnux/packages/pev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: redress + name: redress + aliases: [] + description: Analyze stripped Go binaries to recover symbols, types, source structure, + and integrate with Radare2. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: manual + package_name: redress + salt_state_path: remnux/tools/redress.sls + remnux_docs: + covered: true + category: Examine Static Properties > Go + description: Analyze stripped Go binaries to recover symbols, types, source + structure, and integrate with Radare2. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/go + website: https://github.com/goretk/redress + anchor: redress + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: refresh + name: refresh + aliases: + - pkg.refresh_db + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: pkg.refresh_db + salt_state_path: remnux/repos/refresh.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: reg-export + name: reg_export + aliases: [] + description: Extract registry key values to files — used to recover malware artifacts + stored in registry + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Extract registry key values to files — used to recover malware + artifacts stored in registry + category: utilities + labs: + - '4.5' + sections: + - 4 + typical_usage: + - reg_export HKCU\software\keyname valuename output.js + tags: + - registry + - extraction + - windows + author: Adam Kramer + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: regedit + name: Regedit + aliases: [] + description: Windows Registry Editor for browsing and modifying registry keys + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Windows Registry Editor for browsing and modifying registry keys + category: utilities + labs: + - '4.5' + sections: + - 4 + typical_usage: + - regedit.exe + tags: + - registry + - windows + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: regshot + name: Regshot + aliases: [] + description: Take and compare registry/filesystem snapshots before and after infection + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Take and compare registry/filesystem snapshots before and after + infection + category: behavioral-analysis + labs: + - '1.2' + sections: + - 1 + typical_usage: + - Regshot-x64-Unicode.exe + tags: + - registry + - filesystem + - snapshot + - comparison + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: remnux + name: remnux + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: manual + package_name: remnux + salt_state_path: remnux/tools/remnux-installer.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: remnux-installer + name: REMnux Installer + aliases: [] + description: Install and update the REMnux distro. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: General Utilities + description: Install and update the REMnux distro. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + website: https://github.com/REMnux/distro/blob/master/files/remnux-installer.sh + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: remnux-mcp-server + name: remnux-mcp-server + aliases: + - remnux-node-packages-remnux-mcp-server + - '@remnux/mcp-server' + description: MCP server for using the REMnux malware analysis toolkit via AI assistants. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: npm + package_name: remnux-node-packages-remnux-mcp-server + salt_state_path: remnux/node-packages/remnux-mcp-server.sls + remnux_docs: + covered: true + category: Use Artificial Intelligence + description: MCP server for using the REMnux malware analysis toolkit via AI + assistants. + docs_url: https://docs.remnux.org/discover-the-tools/use+artificial+intelligence + website: https://github.com/REMnux/remnux-mcp-server + anchor: remnux-mcp-server + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: remove-app-icons + name: remove-app-icons + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: remove-app-icons + salt_state_path: remnux/theme/gnome-config/remove-app-icons.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: rhino + name: rhino + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: rhino + salt_state_path: remnux/packages/rhino.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: rsakeyfind + name: rsakeyfind + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: rsakeyfind + salt_state_path: remnux/packages/rsakeyfind.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: rsakeyfinder + name: RSAKeyFinder + aliases: [] + description: Find BER-encoded RSA private keys in a memory image. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Perform Memory Forensics + description: Find BER-encoded RSA private keys in a memory image. + docs_url: https://docs.remnux.org/discover-the-tools/perform+memory+forensics + website: https://citp.princeton.edu/our-work/memory/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: rtfdump-py + name: rtfdump.py + aliases: + - rtfdump + description: Analyze RTF file structure, identify hex-encoded groups and embedded + objects + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Analyze RTF file structure, identify hex-encoded groups and embedded + objects + category: document-analysis + labs: + - '3.5' + sections: + - 3 + typical_usage: + - rtfdump.py document.rtf + - rtfdump.py document.rtf -s 5 -H -d > extracted.bin + tags: + - rtf + - document + - didier-stevens + author: Didier Stevens + salt_states: + covered: false + remnux_docs: + covered: true + category: Analyze Documents > Microsoft Office + description: Analyze a suspicious RTF file. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + website: https://blog.didierstevens.com/2018/12/10/update-rtfdump-py-version-0-0-9/ + anchor: rtfdump.py + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: ruby + name: ruby + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: ruby + salt_state_path: remnux/packages/ruby.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: ruby-dev + name: ruby-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: ruby-dev + salt_state_path: remnux/packages/ruby-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: runsc32 + name: runsc32 + aliases: + - runsc + description: Execute extracted shellcode for dynamic analysis + in_remnux: true + platform: windows + sources: + for610: + covered: true + description: Execute extracted shellcode for dynamic analysis + category: emulation + labs: + - '3.5' + - '4.6' + sections: + - 3 + - 4 + typical_usage: + - runsc32 -f shellcode.bin -o 0x3B -d qa.doc + tags: + - shellcode + - execution + - dynamic-analysis + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-runsc + salt_state_path: remnux/packages/runsc.sls + remnux_docs: + covered: true + category: Dynamically Reverse-Engineer Code > Shellcode + description: Run shellcode to trace and analyze its execution. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode + website: https://github.com/edygert/runsc + anchor: runsc + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: salt-minion + name: salt-minion + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: salt-minion + salt_state_path: remnux/config/salt-minion.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: sandfly-processdecloak + name: sandfly-processdecloak + aliases: [] + description: Find hidden processes on the local Linux system. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: sandfly-processdecloak + salt_state_path: remnux/packages/sandfly-processdecloak.sls + remnux_docs: + covered: true + category: Investigate System Interactions + description: Find hidden processes on the local Linux system. + docs_url: https://docs.remnux.org/discover-the-tools/investigate+system+interactions + website: https://github.com/sandflysecurity/sandfly-processdecloak + anchor: sandfly-processdecloak + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: scalpel + name: scalpel + aliases: [] + description: Carve contents out of binary files, such as partitions. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: scalpel + salt_state_path: remnux/packages/scalpel.sls + remnux_docs: + covered: true + category: Gather and Analyze Data + description: Carve contents out of binary files, such as partitions. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + website: https://github.com/sleuthkit/scalpel + anchor: scalpel + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: scdbgc + name: scdbgc + aliases: + - scdbg + description: Shellcode emulator — analyze shellcode behavior through API-level emulation + in_remnux: true + platform: both + sources: + for610: + covered: true + description: Shellcode emulator — analyze shellcode behavior through API-level + emulation + category: emulation + labs: + - '3.4' + - '3.5' + - '4.6' + sections: + - 3 + - 4 + typical_usage: + - scdbgc /f shellcode.bin /s -1 + - scdbgc /f shellcode.bin /foff 0x3B /fopen qa.doc + - scdbgc /f shellcode.bin /s -1 /norw + tags: + - shellcode + - emulation + - api-calls + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-scdbg + salt_state_path: remnux/packages/scdbg.sls + remnux_docs: + covered: true + category: Dynamically Reverse-Engineer Code > Shellcode + description: Analyze shellcode by emulating its execution. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode + website: http://sandsprite.com/blogs/index.php?uid=7&pid=152 + anchor: scdbg + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: scite + name: scite + aliases: [] + description: Edit text files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: scite + salt_state_path: remnux/packages/scite.sls + remnux_docs: + covered: true + category: View or Edit Files + description: Edit text files. + docs_url: https://docs.remnux.org/discover-the-tools/view+or+edit+files + website: https://www.scintilla.org/SciTE.html + anchor: scite + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: scylla + name: Scylla + aliases: [] + description: Dump processes from memory and reconstruct import address tables (IAT) + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Dump processes from memory and reconstruct import address tables + (IAT) + category: unpacking + labs: + - '4.2' + - '4.3' + - '5.4' + - '5.8' + - '5.10' + sections: + - 4 + - 5 + typical_usage: + - Scylla x64 > Attach to process > Dump > IAT Autosearch > Fix Dump + tags: + - memory-dump + - iat-reconstruction + - unpacking + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: scyllahide + name: ScyllaHide + aliases: [] + description: x64dbg/x32dbg plugin to hide debugger presence from anti-debugging + checks + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: x64dbg/x32dbg plugin to hide debugger presence from anti-debugging + checks + category: anti-analysis + labs: + - '5.3' + - '5.6' + sections: + - 5 + typical_usage: + - Plugins > ScyllaHide > Options > Enable all + tags: + - anti-debugging + - debugger-hiding + - x64dbg-plugin + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: securitytrails + name: SecurityTrails + aliases: [] + description: Historical DNS records and IP/domain intelligence + in_remnux: false + platform: online + sources: + for610: + covered: true + description: Historical DNS records and IP/domain intelligence + category: online-platforms + labs: [] + sections: + - 1 + typical_usage: + - https://securitytrails.com + tags: + - dns-history + - domain-intel + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: setdllcharacteristics + name: setdllcharacteristics + aliases: [] + description: Modify PE header flags — commonly used to disable ASLR (DynamicBase) + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Modify PE header flags — commonly used to disable ASLR (DynamicBase) + category: unpacking + labs: + - '4.2' + sections: + - 4 + typical_usage: + - setdllcharacteristics -d specimen.exe + tags: + - pe-header + - aslr + - didier-stevens + author: Didier Stevens + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: sets-py + name: sets.py + aliases: [] + description: Perform set operations on lines or bytes in text files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Perform set operations on lines or bytes in text files. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://blog.didierstevens.com/2017/03/05/new-tool-sets-py/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: sharutils + name: sharutils + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: sharutils + salt_state_path: remnux/packages/sharutils.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: shcode2exe + name: shcode2exe + aliases: + - shcode2exe.py + description: Convert raw shellcode to a Windows PE executable for analysis in disassemblers + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - shcode2exe + tags: + - shellcode + - conversion + - pe + description: Convert raw shellcode to a Windows PE executable for analysis in + disassemblers + salt_states: + covered: true + install_method: script + package_name: shcode2exe.py + salt_state_path: remnux/scripts/shcode2exe.sls + remnux_docs: + covered: true + category: Dynamically Reverse-Engineer Code > Shellcode + description: Convert 32 and 64-bit shellcode to a Windows executable file. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode + website: https://github.com/accidentalrebel/shcode2exe + anchor: shcode2exe + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: shellcode2exe-bat + name: shellcode2exe-bat + aliases: + - https://github.com/repnz/shellcode2exe.git + - shellcode2exe.bat + description: Convert 32 and 64-bit shellcode to a Windows executable file. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: manual + package_name: https://github.com/repnz/shellcode2exe.git + salt_state_path: remnux/tools/shellcode2exe-bat.sls + remnux_docs: + covered: true + category: Dynamically Reverse-Engineer Code > Shellcode + description: Convert 32 and 64-bit shellcode to a Windows executable file. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode + website: https://github.com/repnz/shellcode2exe + anchor: shellcode2exe.bat + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: shodan + name: Shodan + aliases: [] + description: Search engine for internet-connected devices and exposed services + in_remnux: false + platform: online + sources: + for610: + covered: true + description: Search engine for internet-connected devices and exposed services + category: online-platforms + labs: [] + sections: + - 1 + typical_usage: + - https://shodan.io + tags: + - infrastructure + - reconnaissance + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: sift + name: sift + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: sift + salt_state_path: remnux/repos/sift.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: signsrch + name: signsrch + aliases: [] + description: Find patterns of common encryption, compression, or encoding algorithms. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: signsrch + salt_state_path: remnux/packages/signsrch.sls + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Find patterns of common encryption, compression, or encoding algorithms. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: http://aluigi.altervista.org/mytoolz.htm + anchor: signsrch + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: sleuth-kit + name: Sleuth Kit + aliases: [] + description: Analyze disk images and recover files from them. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Analyze disk images and recover files from them. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://www.sleuthkit.org/sleuthkit + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: sleuthkit + name: sleuthkit + aliases: + - remnux-packages-sleuthkit + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-sleuthkit + salt_state_path: remnux/packages/sleuthkit.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: snap + name: snap + aliases: + - remnux-package-snap + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-package-snap + salt_state_path: remnux/packages/snap.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: snapd + name: snapd + aliases: + - remnux-package-snapd + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: remnux-package-snapd + salt_state_path: remnux/packages/snapd.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: software-properties-common + name: software-properties-common + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: software-properties-common + salt_state_path: remnux/packages/software-properties-common.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: sortcanon-py + name: sortcanon.py + aliases: [] + description: Sort text files using canonicalization functions built into this tool. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: General Utilities + description: Sort text files using canonicalization functions built into this + tool. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + website: https://blog.didierstevens.com/2022/06/18/new-tool-sortcanon-py/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: speakeasy + name: speakeasy + aliases: [] + description: Windows binary emulator — emulates API calls to analyze malware behavior + without native execution + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Windows binary emulator — emulates API calls to analyze malware + behavior without native execution + category: emulation + labs: + - '1.4' + sections: + - 1 + typical_usage: + - speakeasy -t specimen.exe -o report.json 2> report.txt + - speakeasy -t shellcode.bin -r -a x86 + tags: + - emulation + - api-calls + - behavioral-analysis + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-speakeasy + salt_state_path: remnux/python3-packages/speakeasy.sls + remnux_docs: + covered: true + category: Statically Analyze Code > PE Files + description: Emulate code execution, including shellcode, Windows drivers, and + Windows PE files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files + website: https://github.com/mandiant/speakeasy + anchor: speakeasy + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: spidermonkey + name: SpiderMonkey + aliases: + - js + description: Mozilla JavaScript engine — execute and deobfuscate malicious JavaScript + outside a browser + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Mozilla JavaScript engine — execute and deobfuscate malicious JavaScript + outside a browser + category: javascript-analysis + labs: + - '3.6' + - '3.7' + - '4.5' + sections: + - 3 + - 4 + typical_usage: + - js -f malicious.js + - js -f /usr/share/remnux/objects.js -f malicious.js > decoded.js + tags: + - javascript + - deobfuscation + - execution + salt_states: + covered: true + install_method: pip + package_name: stpyv8 + salt_state_path: remnux/python3-packages/stpyv8.sls + remnux_docs: + covered: true + category: Dynamically Reverse-Engineer Code > Scripts + description: Python3 and JavaScript interop engine, fork of the original PyV8 + project. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts + website: https://github.com/cloudflare/stpyv8 + anchor: stpyv8 + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: sqlite + name: SQLite + aliases: [] + description: Manage and interact with SQL database files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: General Utilities + description: Manage and interact with SQL database files. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + website: http://www.sqlite.org + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: ssdeep + name: ssdeep + aliases: [] + description: Compute fuzzy hashes (CTPH) for finding similar files — useful for + malware variant clustering + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - ssdeep + - ssdeep -m + - ssdeep -d + tags: + - hashing + - fuzzy + - similarity + - clustering + description: Compute fuzzy hashes (CTPH) for finding similar files — useful + for malware variant clustering + salt_states: + covered: true + install_method: apt + package_name: ssdeep + salt_state_path: remnux/packages/ssdeep.sls + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Compute Context Triggered Piecewise Hashes (CTPH), also known as + fuzzy hashes. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://ssdeep-project.github.io/ssdeep/index.html + anchor: ssdeep + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: ssh + name: ssh + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: ssh + salt_state_path: remnux/theme/ssh.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: ssview + name: ssview + aliases: [] + description: Analyze OLE2 Structured Storage files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: manual + package_name: ssview + salt_state_path: remnux/tools/ssview.sls + remnux_docs: + covered: true + category: Analyze Documents > Microsoft Office + description: Analyze OLE2 Structured Storage files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + website: https://www.mitec.cz/ssv.html + anchor: ssview + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: strace + name: strace + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: strace + salt_state_path: remnux/packages/strace.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: strdeob-pl + name: strdeob.pl + aliases: [] + description: Automatically decode stack-built strings from disassembled malware + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Automatically decode stack-built strings from disassembled malware + category: string-deobfuscation + labs: + - '5.2' + sections: + - 5 + typical_usage: + - strdeob.pl specimen.exe + tags: + - stack-strings + - deobfuscation + salt_states: + covered: true + install_method: script + package_name: strdeob.pl + salt_state_path: remnux/scripts/strdeob.sls + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Locate and decode stack strings in executable files. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://github.com/REMnux/distro/blob/master/files/strdeob.pl + anchor: strdeob.pl + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: strings + name: strings + aliases: [] + description: Extract printable ASCII and Unicode strings from binary files + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Extract printable ASCII and Unicode strings from binary files + category: static-analysis-pe + labs: + - '3.4' + - '5.2' + sections: + - 1 + - 3 + typical_usage: + - strings binary.exe + - strings -n 10 binary.exe + - strings --encoding=l binary.exe + tags: + - strings + - static-analysis + - triage + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Extract ASCII and Unicode strings from binary files with length + sorting and filtering. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://blog.didierstevens.com/2020/12/19/update-strings-py-version-0-0-6/ + anchor: strings.py + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: subversion + name: subversion + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: subversion + salt_state_path: remnux/packages/subversion.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: sudo + name: sudo + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: sudo + salt_state_path: remnux/packages/sudo.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: sudoers + name: sudoers + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: sudoers + salt_state_path: remnux/theme/sudoers.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: system-informer + name: System Informer + aliases: + - Process Hacker + description: Monitor processes, network connections, handles, and system resources + in real time + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Monitor processes, network connections, handles, and system resources + in real time + category: behavioral-analysis + labs: + - '1.2' + - '1.3' + - '1.6' + - '1.7' + - '1.8' + - '4.2' + - '4.5' + - '5.1' + sections: + - 1 + - 4 + - 5 + typical_usage: + - SystemInformer.exe + tags: + - process-monitoring + - handles + - network + - real-time + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: tcpdump + name: tcpdump + aliases: [] + description: Command-line packet capture tool + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Command-line packet capture tool + category: network-analysis + labs: [] + sections: + - 1 + typical_usage: + - tcpdump -i eth0 -w capture.pcap + - tcpdump -r capture.pcap + tags: + - packet-capture + - cli + - network + salt_states: + covered: true + install_method: apt + package_name: tcpdump + salt_state_path: remnux/packages/tcpdump.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Monitoring + description: Capture and analyze network traffic with this command-line sniffer. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + website: https://www.tcpdump.org + anchor: tcpdump + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: tcpflow + name: tcpflow + aliases: [] + description: Extract and reassemble TCP streams from PCAP files into individual + files + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - tcpflow -r -o output/ + tags: + - network + - tcp + - stream-extraction + description: Extract and reassemble TCP streams from PCAP files into individual + files + salt_states: + covered: true + install_method: apt + package_name: tcpflow + salt_state_path: remnux/packages/tcpflow.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Monitoring + description: Analyze the flow of network traffic. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + website: https://downloads.digitalcorpora.org/downloads/tcpflow/ + anchor: tcpflow + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: tcpick + name: tcpick + aliases: [] + description: Capture and analyze network traffic with this command-line sniffer. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: tcpick + salt_state_path: remnux/packages/tcpick.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Monitoring + description: Capture and analyze network traffic with this command-line sniffer. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + website: http://tcpick.sourceforge.net + anchor: tcpick + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: tcplogview + name: TcpLogView + aliases: [] + description: Log opened and closed TCP connections with process information + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Log opened and closed TCP connections with process information + category: behavioral-analysis + labs: [] + sections: + - 1 + typical_usage: + - TcpLogView.exe + tags: + - network + - tcp + - connection-logging + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: tcpxtract + name: tcpxtract + aliases: [] + description: Carve files from network traffic using file signatures + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - tcpxtract -f -o output/ + tags: + - network + - file-carving + - pcap + description: Carve files from network traffic using file signatures + salt_states: + covered: true + install_method: apt + package_name: tcpxtract + salt_state_path: remnux/packages/tcpxtract.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Monitoring + description: Extract files from network traffic. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + website: http://tcpxtract.sourceforge.net + anchor: tcpxtract + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: tesseract-ocr + name: tesseract-ocr + aliases: [] + description: Examine images to identify and extract text using optical character + recognition (OCR). + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: tesseract-ocr + salt_state_path: remnux/packages/tesseract-ocr.sls + remnux_docs: + covered: true + category: Analyze Documents > General + description: Examine images to identify and extract text using optical character + recognition (OCR). + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/general + website: https://github.com/tesseract-ocr/tesseract + anchor: tesseract-ocr + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: texteditor-py + name: texteditor.py + aliases: [] + description: Edit text files from the command line using search-and-replace commands. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: General Utilities + description: Edit text files from the command line using search-and-replace + commands. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + website: https://blog.didierstevens.com/2021/07/05/new-tool-texteditor-py/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: thefuzz + name: thefuzz + aliases: + - remnux-python3-packages-thefuzz + description: Fuzzy String Matching in Python. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-thefuzz + salt_state_path: remnux/python3-packages/thefuzz.sls + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Fuzzy String Matching in Python. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://github.com/seatgeek/thefuzz + anchor: thefuzz + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: threatfox + name: ThreatFox + aliases: [] + description: Threat intelligence platform for sharing IOCs associated with malware + in_remnux: false + platform: online + sources: + for610: + covered: true + description: Threat intelligence platform for sharing IOCs associated with malware + category: online-platforms + labs: [] + sections: + - 1 + typical_usage: + - https://threatfox.abuse.ch + tags: + - threat-intel + - ioc-sharing + - abuse-ch + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: thug + name: Thug + aliases: [] + description: Low-interaction honeyclient for analyzing malicious websites and drive-by + downloads + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Low-interaction honeyclient for analyzing malicious websites and + drive-by downloads + category: network-analysis + labs: [] + sections: + - 3 + typical_usage: + - thug -u win7chrome49 http://suspicious-site.com + tags: + - honeyclient + - web-analysis + - drive-by + salt_states: + covered: true + install_method: unknown + package_name: thug + salt_state_path: remnux/config/thug.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Connecting + description: Examine suspicious website using this low-interaction honeyclient. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + website: https://github.com/buffer/thug + anchor: thug + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: time-decode + name: time-decode + aliases: + - remnux-python3-packages-time-decode + description: Decode and encode date and timestamps. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-time-decode + salt_state_path: remnux/python3-packages/time-decode.sls + remnux_docs: + covered: true + category: Gather and Analyze Data + description: Decode and encode date and timestamps. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + website: https://github.com/digitalsleuth/time_decode + anchor: time-decode + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: tor + name: tor + aliases: [] + description: Obfuscate your origins by routing traffic through a network of anonymizing + nodes. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: tor + salt_state_path: remnux/packages/tor.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Connecting + description: Obfuscate your origins by routing traffic through a network of + anonymizing nodes. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + website: https://www.torproject.org + anchor: tor + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: torsocks + name: torsocks + aliases: [] + description: Route network traffic through the Tor anonymity network + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Route network traffic through the Tor anonymity network + category: network-analysis + labs: [] + sections: + - 1 + typical_usage: + - torsocks curl http://example.onion + tags: + - tor + - anonymity + - network-routing + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: translate-py + name: translate.py + aliases: [] + description: Transform data using Python expressions (XOR, ADD, etc.) + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Transform data using Python expressions (XOR, ADD, etc.) + category: document-analysis + labs: + - '3.4' + sections: + - 3 + typical_usage: + - translate.py "byte ^ 35" < input.bin > output.bin + tags: + - xor + - transformation + - decoding + - didier-stevens + author: Didier Stevens + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Translate bytes according to a Python expression. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://blog.didierstevens.com/programs/translate/ + anchor: translate.py + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: trid + name: trid + aliases: [] + description: Identify file type by scanning binary signatures database + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Identify file type by scanning binary signatures database + category: static-analysis-pe + labs: + - '3.3' + - '3.4' + sections: + - 3 + typical_usage: + - trid document.doc + tags: + - file-identification + - triage + salt_states: + covered: true + install_method: manual + package_name: trid + salt_state_path: remnux/tools/trid.sls + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Identify file type using signatures. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://mark0.net/soft-trid-e.html + anchor: trid + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: tshark + name: tshark + aliases: [] + description: Command-line interface to Wireshark for packet capture and analysis + in_remnux: true + platform: both + sources: + for610: + covered: true + description: Command-line interface to Wireshark for packet capture and analysis + category: network-analysis + labs: [] + sections: + - 1 + typical_usage: + - tshark -r capture.pcap + - tshark -i eth0 -w capture.pcap + tags: + - packet-capture + - cli + - network + salt_states: + covered: true + install_method: apt + package_name: tshark + salt_state_path: remnux/packages/tshark.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Monitoring + description: Capture and analyze network traffic with this console-based sniffer. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + website: https://www.wireshark.org + anchor: tshark + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: tzdata + name: tzdata + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: tzdata + salt_state_path: remnux/packages/tzdata.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: ubuntu + name: ubuntu + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: ubuntu + salt_state_path: remnux/repos/ubuntu.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: ubuntu-universe + name: ubuntu-universe + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: ubuntu-universe + salt_state_path: remnux/repos/ubuntu-universe.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: uncompyle6 + name: uncompyle6 + aliases: + - remnux-python3-packages-uncompyle6 + description: Decompile Python bytecode (.pyc) back to source — supports Python 1.0 + through 3.8 + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - uncompyle6 + - uncompyle6 -o output/ + tags: + - python + - decompilation + - bytecode + description: Decompile Python bytecode (.pyc) back to source — supports Python + 1.0 through 3.8 + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-uncompyle6 + salt_state_path: remnux/python3-packages/uncompyle6.sls + remnux_docs: + covered: true + category: Statically Analyze Code > Python + description: Python cross-version bytecode decompiler for Python 1. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/python + website: https://github.com/rocky/python-uncompyle6 + anchor: uncompyle6 + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: unfurl + name: Unfurl + aliases: [] + description: Deconstruct and decode URLs — reveal tracking parameters, encoded data, + and redirect chains + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - unfurl parse + tags: + - url + - decoding + - phishing + - tracking + description: Deconstruct and decode URLs — reveal tracking parameters, encoded + data, and redirect chains + salt_states: + covered: false + remnux_docs: + covered: true + category: Explore Network Interactions > Connecting + description: Deconstruct and decode data from a URL. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + website: https://github.com/obsidianforensics/unfurl + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: unhide + name: unhide + aliases: [] + description: Find hidden processes or connections on the local Linux system. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: unhide + salt_state_path: remnux/packages/unhide.sls + remnux_docs: + covered: true + category: Investigate System Interactions + description: Find hidden processes or connections on the local Linux system. + docs_url: https://docs.remnux.org/discover-the-tools/investigate+system+interactions + website: http://www.unhide-forensics.info + anchor: unhide + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: unicode + name: unicode + aliases: [] + description: Display Unicode character properties. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Display Unicode character properties. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://github.com/garabik/unicode + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: unpacme + name: UnpacMe + aliases: [] + description: Automated online malware unpacking service + in_remnux: false + platform: online + sources: + for610: + covered: true + description: Automated online malware unpacking service + category: online-platforms + labs: [] + sections: + - 4 + typical_usage: + - https://www.unpac.me + tags: + - unpacking + - automated + - online + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: unxor + name: unxor + aliases: + - unxor.py + description: Deobfuscate XOR'ed files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: script + package_name: unxor.py + salt_state_path: remnux/scripts/unxor.sls + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Deobfuscate XOR'ed files. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://github.com/tomchop/unxor/ + anchor: unxor + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: unzip + name: unzip + aliases: [] + description: Extract ZIP archives containing malware samples + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Extract ZIP archives containing malware samples + category: utilities + labs: + - '1.1' + - '3.1' + - '3.3' + - '3.4' + - '3.5' + - '3.6' + - '3.7' + - '4.1' + - '4.8' + - '5.2' + - '5.3' + - '5.4' + sections: + - 1 + - 3 + - 4 + - 5 + typical_usage: + - unzip -P infected sample.zip + tags: + - archive + - extraction + salt_states: + covered: true + install_method: apt + package_name: unzip + salt_state_path: remnux/packages/unzip.sls + remnux_docs: + covered: true + category: General Utilities + description: Compress and decompress files using the zip algorithm. + docs_url: https://docs.remnux.org/discover-the-tools/general+utilities + website: http://infozip.sourceforge.net + anchor: info-zip + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: upx + name: UPX + aliases: + - upx + description: Universal Packer for eXecutables — compress and decompress PE files + in_remnux: true + platform: both + sources: + for610: + covered: true + description: Universal Packer for eXecutables — compress and decompress PE files + category: unpacking + labs: + - '4.2' + sections: + - 4 + typical_usage: + - upx -d packed.exe + - upx -d packed.exe -o unpacked.exe + tags: + - packer + - unpacker + - compression + salt_states: + covered: true + install_method: apt + package_name: upx-ucl + salt_state_path: remnux/packages/upx-ucl.sls + remnux_docs: + covered: true + category: Statically Analyze Code > Unpacking + description: Pack and unpack PE files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking + website: https://upx.github.io + anchor: upx + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: urlscan-io + name: urlscan.io + aliases: [] + description: Website and URL investigation service — screenshots, DOM analysis, + network requests + in_remnux: false + platform: online + sources: + for610: + covered: true + description: Website and URL investigation service — screenshots, DOM analysis, + network requests + category: online-platforms + labs: [] + sections: + - 1 + typical_usage: + - https://urlscan.io + tags: + - url-analysis + - website-investigation + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: user + name: user + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: user + salt_state_path: remnux/config/user.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: vbindiff + name: vbindiff + aliases: [] + description: Compare binary files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: vbindiff + salt_state_path: remnux/packages/vbindiff.sls + remnux_docs: + covered: true + category: View or Edit Files + description: Compare binary files. + docs_url: https://docs.remnux.org/discover-the-tools/view+or+edit+files + website: https://www.cjmweb.net/vbindiff/ + anchor: vbindiff + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: vim + name: vim + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: vim + salt_state_path: remnux/packages/vim.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: virtualbox + name: VirtualBox + aliases: [] + description: Open-source hypervisor for running analysis virtual machines + in_remnux: false + platform: both + sources: + for610: + covered: true + description: Open-source hypervisor for running analysis virtual machines + category: virtualization + labs: [] + sections: + - 1 + typical_usage: + - VirtualBox + tags: + - hypervisor + - open-source + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: virustotal + name: VirusTotal + aliases: + - VT + description: Multi-engine antivirus scanning, behavioral analysis, and threat intelligence + in_remnux: false + platform: online + sources: + for610: + covered: true + description: Multi-engine antivirus scanning, behavioral analysis, and threat + intelligence + category: online-platforms + labs: [] + sections: + - 1 + typical_usage: + - https://virustotal.com + tags: + - scanning + - multi-engine + - threat-intel + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: virustotal-search + name: virustotal-search + aliases: [] + description: Search VirusTotal for file hashes. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Gather and Analyze Data + description: Search VirusTotal for file hashes. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + website: https://blog.didierstevens.com/programs/virustotal-tools/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: virustotal-submit + name: virustotal-submit + aliases: [] + description: Submit files to VirusTotal. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Gather and Analyze Data + description: Submit files to VirusTotal. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + website: https://blog.didierstevens.com/programs/virustotal-tools/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: visual-studio-code + name: Visual Studio Code + aliases: + - code + - VS Code + description: Code editor used for viewing decompiled output, scripts, and analysis + results + in_remnux: true + platform: both + sources: + for610: + covered: true + description: Code editor used for viewing decompiled output, scripts, and analysis + results + category: utilities + labs: + - '1.3' + - '1.4' + - '1.5' + - '3.3' + - '3.6' + - '3.7' + - '4.5' + - '4.8' + - '5.2' + - '5.3' + sections: + - 1 + - 3 + - 4 + - 5 + typical_usage: + - code filename.js + tags: + - editor + - code-viewer + salt_states: + covered: false + remnux_docs: + covered: true + category: View or Edit Files + description: Powerful source code editor. + docs_url: https://docs.remnux.org/discover-the-tools/view+or+edit+files + website: https://code.visualstudio.com/ + anchor: visual-studio-code + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: vivisect + name: Vivisect + aliases: [] + description: Binary analysis and emulation framework — static analysis with emulation + capabilities + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - vivbin + - python3 -c "import vivisect; vw = vivisect.VivWorkspace(); vw.loadFromFile('')" + tags: + - emulation + - static-analysis + - binary-analysis + description: Binary analysis and emulation framework — static analysis with + emulation capabilities + salt_states: + covered: false + remnux_docs: + covered: true + category: Statically Analyze Code > General + description: Statically examine and emulate binary files. + docs_url: https://docs.remnux.org/discover-the-tools/statically+analyze+code/general + website: https://github.com/vivisect/vivisect + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: vmware-fusion + name: VMware Fusion + aliases: [] + description: macOS hypervisor for running analysis virtual machines + in_remnux: false + platform: both + sources: + for610: + covered: true + description: macOS hypervisor for running analysis virtual machines + category: virtualization + labs: [] + sections: + - 1 + typical_usage: + - VMware Fusion.app + tags: + - hypervisor + - macos + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: vmware-workstation + name: VMware Workstation Pro + aliases: + - VMware + description: Desktop hypervisor for running isolated analysis VMs with snapshots + and host-only networking + in_remnux: false + platform: both + sources: + for610: + covered: true + description: Desktop hypervisor for running isolated analysis VMs with snapshots + and host-only networking + category: virtualization + labs: [] + sections: + - 1 + typical_usage: + - vmware + tags: + - hypervisor + - vm + - isolation + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: volatility3 + name: volatility3 + aliases: [] + description: Memory forensics framework — analyze RAM dumps to find malware, hidden + processes, network connections, and injected code + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - vol3 -f windows.info + - vol3 -f windows.pslist + - vol3 -f windows.pstree + - vol3 -f windows.netscan + - vol3 -f windows.malfind + - vol3 -f windows.dlllist --pid + - vol3 -f windows.dumpfiles --pid + tags: + - memory + - forensics + - volatility + - incident-response + description: Memory forensics framework — analyze RAM dumps to find malware, + hidden processes, network connections, and injected code + salt_states: + covered: true + install_method: unknown + package_name: volatility3 + salt_state_path: remnux/config/volatility3.sls + remnux_docs: + covered: true + category: Perform Memory Forensics + description: Memory forensics tool and framework. + docs_url: https://docs.remnux.org/discover-the-tools/perform+memory+forensics + website: https://github.com/volatilityfoundation/volatility3 + anchor: volatility-framework + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: vscode + name: vscode + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: vscode + salt_state_path: remnux/config/vscode.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: wget + name: wget + aliases: [] + description: Download files from HTTP/HTTPS/FTP servers + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Download files from HTTP/HTTPS/FTP servers + category: utilities + labs: [] + sections: + - 1 + typical_usage: + - wget http://example.com/file.bin + tags: + - download + - http + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-wget + salt_state_path: remnux/packages/wget.sls + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: true + help_tier: rich +- id: windbg + name: WinDbg + aliases: [] + description: Microsoft Windows debugger for kernel and user-mode debugging + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Microsoft Windows debugger for kernel and user-mode debugging + category: debugging + labs: [] + sections: + - 2 + typical_usage: + - windbg.exe specimen.exe + tags: + - debugger + - kernel + - microsoft + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: wine + name: Wine + aliases: [] + description: Windows compatibility layer — run Windows executables on Linux + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Windows compatibility layer — run Windows executables on Linux + category: utilities + labs: + - '3.5' + sections: + - 3 + typical_usage: + - wine program.exe + tags: + - windows-compat + - execution + salt_states: + covered: true + install_method: apt + package_name: remnux-packages-wine + salt_state_path: remnux/packages/wine.sls + remnux_docs: + covered: true + category: Dynamically Reverse-Engineer Code > General + description: Run Windows applications. + docs_url: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/general + website: https://www.winehq.org + anchor: wine + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: winscp + name: WinSCP + aliases: [] + description: Windows SCP/SFTP client for transferring files between Windows and + Linux VMs + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Windows SCP/SFTP client for transferring files between Windows + and Linux VMs + category: utilities + labs: + - '4.5' + sections: + - 4 + typical_usage: + - WinSCP.exe + tags: + - file-transfer + - scp + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: wireshark + name: Wireshark + aliases: [] + description: GUI network protocol analyzer for capturing and inspecting packet-level + traffic + in_remnux: true + platform: both + sources: + for610: + covered: true + description: GUI network protocol analyzer for capturing and inspecting packet-level + traffic + category: network-analysis + labs: + - '1.2' + - '1.3' + - '1.6' + - '1.7' + - '1.8' + - '5.1' + sections: + - 1 + - 5 + typical_usage: + - wireshark + - wireshark -r capture.pcap + tags: + - packet-capture + - protocol-analysis + - network + salt_states: + covered: true + install_method: apt + package_name: wireshark + salt_state_path: remnux/packages/wireshark.sls + remnux_docs: + covered: true + category: Explore Network Interactions > Monitoring + description: Capture and analyze network traffic with this sniffer. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring + website: https://www.wireshark.org + anchor: wireshark + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: wireshark-dev + name: wireshark-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: unknown + package_name: wireshark-dev + salt_state_path: remnux/repos/wireshark-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: wxhexeditor + name: wxhexeditor + aliases: [] + description: Hex editor. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: wxhexeditor + salt_state_path: remnux/packages/wxhexeditor.sls + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Hex editor. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://sourceforge.net/projects/wxhexeditor/ + anchor: wxhexeditor + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: x32dbg + name: x32dbg + aliases: [] + description: Open-source 32-bit debugger for dynamic malware analysis — breakpoints, + memory inspection, patching + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Open-source 32-bit debugger for dynamic malware analysis — breakpoints, + memory inspection, patching + category: debugging + labs: + - '3.5' + - '3.10' + - '4.6' + - '4.7' + - '5.3' + - '5.4' + - '5.5' + - '5.6' + - '5.7' + - '5.8' + - '5.9' + - '5.10' + sections: + - 3 + - 4 + - 5 + typical_usage: + - x32dbg.exe specimen.exe + tags: + - debugger + - 32-bit + - dynamic-analysis + - breakpoints + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: x64dbg + name: x64dbg + aliases: [] + description: Open-source 64-bit debugger for dynamic malware analysis — breakpoints, + memory inspection, patching + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: Open-source 64-bit debugger for dynamic malware analysis — breakpoints, + memory inspection, patching + category: debugging + labs: + - '1.5' + - '4.3' + - '4.4' + - '5.1' + sections: + - 1 + - 4 + - 5 + typical_usage: + - x64dbg.exe specimen.exe + tags: + - debugger + - 64-bit + - dynamic-analysis + - breakpoints + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: xanalyzer + name: xAnalyzer + aliases: [] + description: x32dbg plugin providing extended analysis — API parameter names and + types in disassembly + in_remnux: false + platform: windows + sources: + for610: + covered: true + description: x32dbg plugin providing extended analysis — API parameter names + and types in disassembly + category: anti-analysis + labs: + - '5.10' + sections: + - 5 + typical_usage: + - Plugins > xAnalyzer + tags: + - x32dbg-plugin + - analysis-enhancement + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: xdg-utils + name: xdg-utils + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: xdg-utils + salt_state_path: remnux/packages/xdg-utils.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: xlmmacrodeobfuscator + name: XLMMacroDeobfuscator + aliases: [] + description: Deobfuscate Excel 4.0 (XLM) macros — these hide in hidden sheets and + are hard to detect + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - xlmdeobfuscator --file + - xlmdeobfuscator --file --no-indent + tags: + - office + - excel + - xlm + - macro + - deobfuscation + description: Deobfuscate Excel 4.0 (XLM) macros — these hide in hidden sheets + and are hard to detect + salt_states: + covered: false + remnux_docs: + covered: true + category: Analyze Documents > Microsoft Office + description: Deobfuscate XLM macros (also known as Excel 4. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + website: https://github.com/DissectMalware/XLMMacroDeobfuscator + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: xmldump-py + name: xmldump.py + aliases: [] + description: Extract contents of XML files, in particular OOXML-formatted Microsoft + Office documents. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Analyze Documents > Microsoft Office + description: Extract contents of XML files, in particular OOXML-formatted Microsoft + Office documents. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + website: https://blog.didierstevens.com/2017/12/18/new-tool-xmldump-py/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: xmlstarlet + name: xmlstarlet + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: xmlstarlet + salt_state_path: remnux/packages/xmlstarlet.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: xor-kpa-py + name: xor-kpa.py + aliases: [] + description: Implement a XOR known plaintext attack. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Implement a XOR known plaintext attack. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://blog.didierstevens.com/2017/06/06/update-xor-kpa-py-version-0-0-5/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: xorbruteforcer + name: xorbruteforcer + aliases: + - xorbruteforcer.py + description: Bruteforce an XOR-encoded file. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: script + package_name: xorbruteforcer.py + salt_state_path: remnux/scripts/xorbruteforcer.sls + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Bruteforce an XOR-encoded file. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://eternal-todo.com/category/bruteforcer + anchor: xorbruteforcer.py + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: xorsearch + name: XORSearch + aliases: [] + description: Search for XOR/ROL/ROT/SHIFT-encoded patterns including shellcode signatures + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Search for XOR/ROL/ROT/SHIFT-encoded patterns including shellcode + signatures + category: string-deobfuscation + labs: + - '3.5' + - '5.2' + sections: + - 3 + - 5 + typical_usage: + - XORSearch -W -d 3 file.bin + - 'XORSearch -i -s specimen.exe http:' + tags: + - xor + - shellcode-detection + - pattern-search + - didier-stevens + author: Didier Stevens + salt_states: + covered: true + install_method: apt + package_name: xorsearch + salt_state_path: remnux/packages/xorsearch.sls + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Search for XOR, ROL, ROT, and SHIFT encoded strings with YARA and + regex support. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://blog.didierstevens.com/2020/08/23/new-tool-xorsearch-py/ + anchor: xorsearch.py + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: xorstrings + name: xorstrings + aliases: [] + description: Search for XOR encoded strings in a file. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: xorstrings + salt_state_path: remnux/packages/xorstrings.sls + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Search for XOR encoded strings in a file. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://blog.didierstevens.com/2013/04/15/new-tool-xorstrings/ + anchor: xorstrings + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: xortool + name: xortool + aliases: + - remnux-python3-packages-xortool + description: Analyze XOR-encoded data — guess key length and probable key bytes + in_remnux: true + platform: linux + sources: + for610: + covered: true + typical_usage: + - xortool + - xortool-xor -s 'key' -i -o + tags: + - xor + - deobfuscation + - key-recovery + description: Analyze XOR-encoded data — guess key length and probable key bytes + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-xortool + salt_state_path: remnux/python3-packages/xortool.sls + remnux_docs: + covered: true + category: Examine Static Properties > Deobfuscation + description: Analyze XOR-encoded data. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation + website: https://github.com/hellman/xortool + anchor: xortool + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: xterm + name: xterm + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: xterm + salt_state_path: remnux/packages/xterm.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: xxd + name: xxd + aliases: [] + description: Create hex dump of a file or reverse a hex dump back to binary + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Create hex dump of a file or reverse a hex dump back to binary + category: utilities + labs: [] + sections: + - 1 + typical_usage: + - xxd binary.exe + - xxd -r hexdump.txt > binary.exe + tags: + - hex + - binary-conversion + salt_states: + covered: false + remnux_docs: + covered: false + has_for610_coverage: true + has_remnux_docs: false + has_salt_state: false + help_tier: rich +- id: yara + name: yara + aliases: + - yara-rules + description: Pattern matching tool for identifying and classifying malware using + custom rules + in_remnux: true + platform: both + sources: + for610: + covered: true + description: Pattern matching tool for identifying and classifying malware using + custom rules + category: yara-detection + labs: + - '3.4' + sections: + - 3 + typical_usage: + - yara-rules specimen.bin + - yara rule.yar specimen.exe + tags: + - pattern-matching + - classification + - rules + salt_states: + covered: true + install_method: manual + package_name: https://github.com/Yara-Rules/rules.git + salt_state_path: remnux/tools/yara-rules.sls + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Scan a file with YARA rules to identify capabilities and behaviors + (packer detection, anti-debug, networking). + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://github.com/Yara-Rules/rules + anchor: yara-rules + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: true + help_tier: rich +- id: yara-forge-rules + name: YARA-Forge Rules + aliases: [] + description: Scan files with curated YARA rules from 45+ sources for malware family + identification. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Examine Static Properties > General + description: Scan files with curated YARA rules from 45+ sources for malware + family identification. + docs_url: https://docs.remnux.org/discover-the-tools/examine+static+properties/general + website: https://yarahq.github.io/ + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: yara-x + name: yara-x + aliases: + - remnux-python3-packages-yara-x + description: Scan files using YARA rules, the next generation of YARA written in + Rust. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: pip + package_name: remnux-python3-packages-yara-x + salt_state_path: remnux/python3-packages/yara-x.sls + remnux_docs: + covered: true + category: Gather and Analyze Data + description: Scan files using YARA rules, the next generation of YARA written + in Rust. + docs_url: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data + website: https://github.com/VirusTotal/yara-x + anchor: yara-x + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: true + help_tier: standard +- id: zbar-tools + name: zbar-tools + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: zbar-tools + salt_state_path: remnux/packages/zbar-tools.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic +- id: zbarimg + name: zbarimg + aliases: [] + description: Decode QR codes and barcodes from image files. + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: false + remnux_docs: + covered: true + category: Explore Network Interactions > Connecting + description: Decode QR codes and barcodes from image files. + docs_url: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting + website: https://github.com/mchehab/zbar + has_for610_coverage: false + has_remnux_docs: true + has_salt_state: false + help_tier: standard +- id: zipdump-py + name: zipdump.py + aliases: + - zipdump + description: Parse and analyze ZIP archive structure + in_remnux: true + platform: linux + sources: + for610: + covered: true + description: Parse and analyze ZIP archive structure + category: document-analysis + labs: [] + sections: + - 3 + typical_usage: + - zipdump.py archive.zip + tags: + - zip + - archive + - didier-stevens + author: Didier Stevens + salt_states: + covered: false + remnux_docs: + covered: true + category: Analyze Documents > Microsoft Office + description: Analyze zip-compressed files. + docs_url: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office + website: https://blog.didierstevens.com/2020/07/27/update-zipdump-py-version-0-0-20/ + anchor: zipdump.py + has_for610_coverage: true + has_remnux_docs: true + has_salt_state: false + help_tier: rich +- id: zlib1g-dev + name: zlib1g-dev + aliases: [] + description: '' + in_remnux: true + platform: linux + sources: + for610: + covered: false + salt_states: + covered: true + install_method: apt + package_name: zlib1g-dev + salt_state_path: remnux/packages/zlib1g-dev.sls + remnux_docs: + covered: false + has_for610_coverage: false + has_remnux_docs: false + has_salt_state: true + help_tier: basic diff --git a/scripts/build-master-inventory.py b/scripts/build-master-inventory.py new file mode 100644 index 0000000..aa519f4 --- /dev/null +++ b/scripts/build-master-inventory.py @@ -0,0 +1,466 @@ +#!/usr/bin/env python3 +"""Build the master tool inventory by merging three sources. + +Merges: +1. FOR610 course data (data/for610/tools.yaml) +2. Salt-states installation data (data/remnux/sources/salt-states.yaml) +3. REMnux docs (data/remnux/sources/remnux-docs.yaml) + +Output: data/remnux/tools-master.yaml +""" + +import os +import re +import yaml + +BASE_DIR = os.path.join(os.path.dirname(__file__), "..") +FOR610_TOOLS = os.path.join(BASE_DIR, "data", "for610", "tools.yaml") +SALT_STATES = os.path.join(BASE_DIR, "data", "remnux", "sources", "salt-states.yaml") +REMNUX_DOCS = os.path.join(BASE_DIR, "data", "remnux", "sources", "remnux-docs.yaml") +ENRICHMENTS = os.path.join(BASE_DIR, "data", "remnux", "tool-enrichments.yaml") +OUTPUT = os.path.join(BASE_DIR, "data", "remnux", "tools-master.yaml") + +# Manual override mapping for tools that have different names across sources +# Format: normalized_key -> canonical_id +NAME_OVERRIDES = { + "die": "diec", + "detect-it-easy": "diec", + "detect it easy": "diec", + "js": "spidermonkey", + "js-patched": "spidermonkey", + "spidermonkey-patched": "spidermonkey", + "mozilla-spidermonkey": "spidermonkey", + "vol": "volatility3", + "vol-py": "volatility3", + "volatility-framework": "volatility3", + "volatility": "volatility3", + "process-hacker": "system-informer", + "yara-rules": "yara", + "yara-forge": "yara", + "yara-x": "yara-x", + "jsbeautifier": "js-beautify", + "js-beautifier": "js-beautify", + "ilspycmd": "ilspycmd", + "ilspy": "ilspy", + "upx-ucl": "upx", + "unrar-free": "rar", + "netcat-openbsd": "netcat", + "net-tools": "net-tools", + "oletools": "olevba", + "pev": "readpe", + "scdbg": "scdbgc", + "origamindee": "origami", + "pdftk-java": "pdftk", + "fakenet-ng": "fakenet-ng", + "accept-all-ips": "httpd", + "7zip": "7zip", + "7z": "7zip", + "p7zip": "7zip", + "info-zip": "unzip", + "cutter": "cutter", + "r2pipe": "radare2", + "r2": "radare2", + "stpyv8": "spidermonkey", + "rhino-debugger": "spidermonkey", + "powershell-core": "powershell", + "powershell": "powershell", + "didier-stevens-scripts": "didier-stevens-suite", + "docker-compose": "docker", + "docker": "docker", + "ghidrassist-mcp": "ghidra", + "remnux-mcp-server": "remnux-mcp-server", +} + + +def normalize_name(name): + """Normalize a tool name for matching.""" + n = name.lower().strip() + n = re.sub(r'\.py$', '', n) + n = re.sub(r'\.pl$', '', n) + n = re.sub(r'\.bat$', '', n) + n = re.sub(r'[^a-z0-9]+', '-', n) + n = n.strip('-') + return n + + +def make_id(name): + """Create a kebab-case ID from a name.""" + n = name.lower().strip() + # Keep .py/.pl as -py/-pl in the ID + n = re.sub(r'\.py$', '-py', n) + n = re.sub(r'\.pl$', '-pl', n) + n = re.sub(r'\.bat$', '-bat', n) + n = re.sub(r'[^a-z0-9]+', '-', n) + n = n.strip('-') + return n + + +def load_for610(): + """Load FOR610 tools.""" + with open(FOR610_TOOLS) as f: + data = yaml.safe_load(f) + return data.get("tools", []) + + +def load_salt_states(): + """Load salt-states parsed data.""" + if not os.path.exists(SALT_STATES): + print(f" Warning: {SALT_STATES} not found, skipping") + return [] + with open(SALT_STATES) as f: + data = yaml.safe_load(f) + return data.get("tools", []) + + +def load_remnux_docs(): + """Load REMnux docs scraped data.""" + if not os.path.exists(REMNUX_DOCS): + print(f" Warning: {REMNUX_DOCS} not found, skipping") + return [] + with open(REMNUX_DOCS) as f: + data = yaml.safe_load(f) + return data.get("tools", []) + + +def build_lookup_index(master_tools): + """Build a multi-key lookup index for matching.""" + index = {} + for tool in master_tools: + tid = tool["id"] + # Index by id + index[tid] = tid + # Index by normalized name + index[normalize_name(tool["name"])] = tid + # Index by aliases + for alias in tool.get("aliases", []): + index[normalize_name(alias)] = tid + return index + + +def find_match(name, index): + """Try to find a matching tool in the index.""" + normalized = normalize_name(name) + + # Check overrides first + if normalized in NAME_OVERRIDES: + override_id = NAME_OVERRIDES[normalized] + if override_id in index: + return index[override_id] + return override_id + + # Direct match + if normalized in index: + return index[normalized] + + # Try with -py suffix + if normalized + "-py" in index: + return index[normalized + "-py"] + + # Try without trailing digits + stripped = re.sub(r'-?\d+$', '', normalized) + if stripped and stripped in index: + return index[stripped] + + return None + + +def compute_help_tier(tool): + """Determine the help tier based on coverage.""" + has_for610 = tool.get("sources", {}).get("for610", {}).get("covered", False) + has_docs = tool.get("sources", {}).get("remnux_docs", {}).get("covered", False) + has_salt = tool.get("sources", {}).get("salt_states", {}).get("covered", False) + + if has_for610: + return "rich" + elif has_docs: + return "standard" + elif has_salt: + return "basic" + else: + return "stub" + + +def main(): + print("Building master tool inventory...") + + # --- Step 1: Load FOR610 tools as base --- + print("\n1. Loading FOR610 tools...") + for610_tools = load_for610() + print(f" Loaded {len(for610_tools)} tools") + + master = {} + for t in for610_tools: + tid = t["id"] + entry = { + "id": tid, + "name": t["name"], + "aliases": t.get("aliases", []), + "description": t.get("description", ""), + "in_remnux": t.get("in_remnux", False), + "platform": t.get("platform", "linux"), + "sources": { + "for610": { + "covered": True, + "description": t.get("description", ""), + "category": t.get("category", ""), + "labs": t.get("labs", []), + "sections": t.get("for610_sections", []), + "typical_usage": t.get("typical_usage", []), + "tags": t.get("tags", []), + }, + "salt_states": {"covered": False}, + "remnux_docs": {"covered": False}, + }, + } + if t.get("author"): + entry["sources"]["for610"]["author"] = t["author"] + master[tid] = entry + + # --- Step 2: Merge salt-states --- + print("\n2. Loading salt-states...") + salt_tools = load_salt_states() + print(f" Loaded {len(salt_tools)} entries") + + index = build_lookup_index(list(master.values())) + salt_matched = 0 + salt_new = 0 + + for st in salt_tools: + st_id = st["id"] + st_names = st.get("package_names", [st_id]) + + # Try to match against existing tools + matched_id = None + for name in [st_id] + st_names: + matched_id = find_match(name, index) + if matched_id: + break + + if matched_id and matched_id in master: + # Enrich existing tool + master[matched_id]["sources"]["salt_states"] = { + "covered": True, + "install_method": st.get("install_method", "unknown"), + "package_name": st_names[0] if st_names else st_id, + "salt_state_path": st.get("salt_state_path", ""), + } + master[matched_id]["in_remnux"] = True + salt_matched += 1 + else: + # Create new tool entry + new_id = make_id(st_id) + # Check if override maps to something we don't have yet + if normalize_name(st_id) in NAME_OVERRIDES: + new_id = NAME_OVERRIDES[normalize_name(st_id)] + + if new_id not in master: + master[new_id] = { + "id": new_id, + "name": st_id, + "aliases": [n for n in st_names if n != st_id][:3], + "description": "", + "in_remnux": True, + "platform": "linux", + "sources": { + "for610": {"covered": False}, + "salt_states": { + "covered": True, + "install_method": st.get("install_method", "unknown"), + "package_name": st_names[0] if st_names else st_id, + "salt_state_path": st.get("salt_state_path", ""), + }, + "remnux_docs": {"covered": False}, + }, + } + # Update index + index[new_id] = new_id + index[normalize_name(st_id)] = new_id + for n in st_names: + index[normalize_name(n)] = new_id + salt_new += 1 + else: + # Already exists under the override ID + master[new_id]["sources"]["salt_states"] = { + "covered": True, + "install_method": st.get("install_method", "unknown"), + "package_name": st_names[0] if st_names else st_id, + "salt_state_path": st.get("salt_state_path", ""), + } + salt_matched += 1 + + print(f" Matched: {salt_matched}, New: {salt_new}") + + # --- Step 3: Merge REMnux docs --- + print("\n3. Loading REMnux docs...") + doc_tools = load_remnux_docs() + print(f" Loaded {len(doc_tools)} entries") + + # Rebuild index after salt-states additions + index = build_lookup_index(list(master.values())) + docs_matched = 0 + docs_new = 0 + + for dt in doc_tools: + dt_name = dt.get("name", "") + dt_id = dt.get("id", make_id(dt_name)) + + matched_id = find_match(dt_name, index) + if not matched_id: + matched_id = find_match(dt_id, index) + + if matched_id and matched_id in master: + # Enrich existing tool + doc_entry = { + "covered": True, + "category": dt.get("category", ""), + "description": dt.get("description", ""), + "docs_url": dt.get("docs_url", ""), + } + if dt.get("website"): + doc_entry["website"] = dt["website"] + if dt.get("anchor"): + doc_entry["anchor"] = dt["anchor"] + + master[matched_id]["sources"]["remnux_docs"] = doc_entry + + # Use REMnux docs description if we don't have one + if not master[matched_id]["description"] and dt.get("description"): + master[matched_id]["description"] = dt["description"] + + docs_matched += 1 + else: + # Create new entry + new_id = make_id(dt_name) if dt_name else dt_id + if new_id not in master: + master[new_id] = { + "id": new_id, + "name": dt_name, + "aliases": [], + "description": dt.get("description", ""), + "in_remnux": True, + "platform": "linux", + "sources": { + "for610": {"covered": False}, + "salt_states": {"covered": False}, + "remnux_docs": { + "covered": True, + "category": dt.get("category", ""), + "description": dt.get("description", ""), + "docs_url": dt.get("docs_url", ""), + }, + }, + } + if dt.get("website"): + master[new_id]["sources"]["remnux_docs"]["website"] = dt["website"] + index[new_id] = new_id + index[normalize_name(dt_name)] = new_id + docs_new += 1 + else: + master[new_id]["sources"]["remnux_docs"] = { + "covered": True, + "category": dt.get("category", ""), + "description": dt.get("description", ""), + "docs_url": dt.get("docs_url", ""), + } + docs_matched += 1 + + print(f" Matched: {docs_matched}, New: {docs_new}") + + # --- Step 4: Apply manual enrichments --- + print("\n4. Applying manual enrichments...") + if os.path.exists(ENRICHMENTS): + with open(ENRICHMENTS) as f: + enrich_data = yaml.safe_load(f) + enrichments = enrich_data.get("enrichments", {}) + enriched = 0 + for tool_key, enrich in enrichments.items(): + # Find the tool in master by key or normalized name + matched_id = find_match(tool_key, index) + if not matched_id: + matched_id = tool_key + if matched_id in master: + tool = master[matched_id] + # Apply enrichment data + if enrich.get("description") and not tool.get("description"): + tool["description"] = enrich["description"] + elif enrich.get("description"): + tool["description"] = enrich["description"] + # Add usage examples to for610 source (or create enrichment source) + if enrich.get("typical_usage"): + if not tool["sources"]["for610"].get("covered"): + tool["sources"]["for610"]["covered"] = True + tool["sources"]["for610"]["typical_usage"] = enrich["typical_usage"] + tool["sources"]["for610"]["tags"] = enrich.get("tags", []) + tool["sources"]["for610"]["description"] = enrich.get("description", "") + else: + # Merge usage examples + existing = tool["sources"]["for610"].get("typical_usage", []) + for u in enrich["typical_usage"]: + if u not in existing: + existing.append(u) + tool["sources"]["for610"]["typical_usage"] = existing + enriched += 1 + else: + print(f" Warning: enrichment key '{tool_key}' not found in master") + print(f" Enriched: {enriched} tools") + else: + print(" No enrichments file found, skipping") + + # Rebuild index after enrichments + index = build_lookup_index(list(master.values())) + + # --- Step 5: Compute derived fields --- + print("\n5. Computing derived fields...") + for tool in master.values(): + tool["has_for610_coverage"] = tool["sources"]["for610"].get("covered", False) + tool["has_remnux_docs"] = tool["sources"]["remnux_docs"].get("covered", False) + tool["has_salt_state"] = tool["sources"]["salt_states"].get("covered", False) + tool["help_tier"] = compute_help_tier(tool) + + # --- Step 6: Sort and output --- + tools_list = sorted(master.values(), key=lambda t: t["id"]) + + # Remove windows-only/online tools that aren't in remnux + # (keep them for reference but flag appropriately) + + tiers = {} + for t in tools_list: + tier = t["help_tier"] + tiers[tier] = tiers.get(tier, 0) + 1 + + output = { + "metadata": { + "total_tools": len(tools_list), + "in_remnux_count": sum(1 for t in tools_list if t["in_remnux"]), + "help_tier_counts": tiers, + "source_coverage": { + "for610_only": sum(1 for t in tools_list if t["has_for610_coverage"] and not t["has_remnux_docs"] and not t["has_salt_state"]), + "remnux_docs_only": sum(1 for t in tools_list if t["has_remnux_docs"] and not t["has_for610_coverage"] and not t["has_salt_state"]), + "salt_states_only": sum(1 for t in tools_list if t["has_salt_state"] and not t["has_for610_coverage"] and not t["has_remnux_docs"]), + "all_three": sum(1 for t in tools_list if t["has_for610_coverage"] and t["has_remnux_docs"] and t["has_salt_state"]), + "for610_and_docs": sum(1 for t in tools_list if t["has_for610_coverage"] and t["has_remnux_docs"]), + "for610_and_salt": sum(1 for t in tools_list if t["has_for610_coverage"] and t["has_salt_state"]), + "docs_and_salt": sum(1 for t in tools_list if t["has_remnux_docs"] and t["has_salt_state"]), + "no_coverage": sum(1 for t in tools_list if not t["has_for610_coverage"] and not t["has_remnux_docs"] and not t["has_salt_state"]), + }, + }, + "tools": tools_list, + } + + with open(OUTPUT, "w") as f: + yaml.dump(output, f, default_flow_style=False, sort_keys=False, allow_unicode=True) + + print(f"\n{'='*50}") + print(f"MASTER INVENTORY BUILT: {len(tools_list)} tools") + print(f" In REMnux: {output['metadata']['in_remnux_count']}") + print(f"\nHelp Tiers:") + for tier, count in sorted(tiers.items()): + print(f" {tier}: {count}") + print(f"\nSource Coverage:") + for key, val in output["metadata"]["source_coverage"].items(): + print(f" {key}: {val}") + print(f"\nOutput: {OUTPUT}") + + +if __name__ == "__main__": + main() diff --git a/scripts/generate-coverage-report.py b/scripts/generate-coverage-report.py new file mode 100644 index 0000000..f176548 --- /dev/null +++ b/scripts/generate-coverage-report.py @@ -0,0 +1,122 @@ +#!/usr/bin/env python3 +"""Generate coverage report from the master tool inventory. + +Reads data/remnux/tools-master.yaml and produces: +- data/generated/coverage-report.md (human-readable) +- data/remnux/coverage-report.yaml (machine-readable) +""" + +import os +import yaml + +BASE_DIR = os.path.join(os.path.dirname(__file__), "..") +MASTER = os.path.join(BASE_DIR, "data", "remnux", "tools-master.yaml") +MD_OUTPUT = os.path.join(BASE_DIR, "data", "generated", "coverage-report.md") +YAML_OUTPUT = os.path.join(BASE_DIR, "data", "remnux", "coverage-report.yaml") + + +def main(): + with open(MASTER) as f: + data = yaml.safe_load(f) + + tools = data["tools"] + meta = data["metadata"] + + # Classify tools + remnux_tools = [t for t in tools if t.get("in_remnux")] + rich = [t for t in tools if t["help_tier"] == "rich"] + standard = [t for t in tools if t["help_tier"] == "standard"] + basic = [t for t in tools if t["help_tier"] == "basic"] + stub = [t for t in tools if t["help_tier"] == "stub"] + + # Tools in REMnux with no good help + needs_help = [t for t in remnux_tools if t["help_tier"] in ("basic", "stub")] + needs_help.sort(key=lambda t: t["name"]) + + # Tools with FOR610 coverage (richest help) + for610_covered = [t for t in remnux_tools if t.get("has_for610_coverage")] + for610_covered.sort(key=lambda t: t["name"]) + + # Tools with REMnux docs only (decent help) + docs_only = [t for t in remnux_tools if t.get("has_remnux_docs") and not t.get("has_for610_coverage")] + docs_only.sort(key=lambda t: t["name"]) + + # Generate markdown report + lines = [ + "# Tool Coverage Report", + "", + "## Summary", + "", + f"| Metric | Count |", + f"|--------|-------|", + f"| Total tools in master inventory | {len(tools)} |", + f"| Tools in REMnux container | {len(remnux_tools)} |", + f"| Rich help (FOR610 coverage) | {len(rich)} |", + f"| Standard help (REMnux docs) | {len(standard)} |", + f"| Basic help (salt-states only) | {len(basic)} |", + f"| Stub (no documentation) | {len(stub)} |", + "", + "## Source Overlap", + "", + f"| Combination | Count |", + f"|-------------|-------|", + ] + for key, val in meta["source_coverage"].items(): + lines.append(f"| {key.replace('_', ' ')} | {val} |") + + lines += [ + "", + "## Priority: REMnux Tools Needing Help", + "", + f"These {len(needs_help)} tools are installed in the container but have minimal or no documentation:", + "", + ] + for t in needs_help: + tier_badge = "basic" if t["help_tier"] == "basic" else "STUB" + lines.append(f"- `{t['name']}` [{tier_badge}]") + + lines += [ + "", + f"## Rich Help Tools ({len(for610_covered)} tools with FOR610 coverage)", + "", + ] + for t in for610_covered: + labs = t["sources"]["for610"].get("labs", []) + lab_str = f" (Labs: {', '.join(labs)})" if labs else "" + lines.append(f"- `{t['name']}`{lab_str}") + + lines += [ + "", + f"## Standard Help Tools ({len(docs_only)} tools with REMnux docs only)", + "", + ] + for t in docs_only: + cat = t["sources"]["remnux_docs"].get("category", "") + lines.append(f"- `{t['name']}` — {cat}") + + md_content = "\n".join(lines) + "\n" + + os.makedirs(os.path.dirname(MD_OUTPUT), exist_ok=True) + with open(MD_OUTPUT, "w") as f: + f.write(md_content) + + # Machine-readable YAML + yaml_data = { + "summary": meta, + "needs_help": [{"id": t["id"], "name": t["name"], "tier": t["help_tier"]} for t in needs_help], + "rich_tools": [{"id": t["id"], "name": t["name"]} for t in for610_covered], + "standard_tools": [{"id": t["id"], "name": t["name"]} for t in docs_only], + } + with open(YAML_OUTPUT, "w") as f: + yaml.dump(yaml_data, f, default_flow_style=False, sort_keys=False) + + print(f"Coverage report generated:") + print(f" Markdown: {MD_OUTPUT}") + print(f" YAML: {YAML_OUTPUT}") + print(f"\n {len(remnux_tools)} REMnux tools:") + print(f" {len(rich)} rich, {len(standard)} standard, {len(basic)} basic, {len(stub)} stub") + print(f" {len(needs_help)} need better documentation") + + +if __name__ == "__main__": + main() diff --git a/scripts/generate-help-artifacts.py b/scripts/generate-help-artifacts.py new file mode 100644 index 0000000..7bc8d2a --- /dev/null +++ b/scripts/generate-help-artifacts.py @@ -0,0 +1,534 @@ +#!/usr/bin/env python3 +"""Generate all help artifacts from the master tool inventory. + +Reads data/remnux/tools-master.yaml and data/for610/workflows.yaml to produce: +- data/generated/tools.db (pipe-delimited for find-tool) +- data/generated/cheatsheets/*.cheat (per-tool cheat sheets) +- data/generated/workflows/*.txt (workflow help files) +- data/generated/tldr/*.md (TLDR pages) +""" + +import os +import re +import yaml +import textwrap + +BASE_DIR = os.path.join(os.path.dirname(__file__), "..") +MASTER = os.path.join(BASE_DIR, "data", "remnux", "tools-master.yaml") +WORKFLOWS_SRC = os.path.join(BASE_DIR, "data", "for610", "workflows.yaml") +RECIPES_SRC = os.path.join(BASE_DIR, "data", "for610", "recipes.yaml") +GEN_DIR = os.path.join(BASE_DIR, "data", "generated") + + +def load_master(): + with open(MASTER) as f: + return yaml.safe_load(f) + + +def load_workflows(): + with open(WORKFLOWS_SRC) as f: + return yaml.safe_load(f) + + +def load_recipes(): + if os.path.exists(RECIPES_SRC): + with open(RECIPES_SRC) as f: + return yaml.safe_load(f) + return {"recipes": []} + + +def build_recipe_index(recipes_data): + """Build a mapping of tool_id -> list of recipes that use that tool.""" + index = {} + for recipe in recipes_data.get("recipes", []): + for tool_id in recipe.get("tools", []): + index.setdefault(tool_id, []).append(recipe) + # Also index by normalized variants + normalized = tool_id.lower().replace("-", "").replace("_", "") + if normalized != tool_id: + index.setdefault(normalized, []).append(recipe) + return index + + +# ============================================================ +# tools.db generator +# ============================================================ + +def generate_tools_db(tools): + """Generate pipe-delimited tools.db for find-tool.""" + output_path = os.path.join(GEN_DIR, "tools.db") + lines = [] + + for t in tools: + if not t.get("in_remnux"): + continue + + name = t["name"] + desc = t.get("description", "").replace("|", "/").replace("\n", " ").strip()[:120] + if not desc: + desc = f"(no description available)" + + # Get best category + cat = "" + if t["sources"]["remnux_docs"].get("covered"): + cat = t["sources"]["remnux_docs"].get("category", "") + elif t["sources"]["for610"].get("covered"): + cat = t["sources"]["for610"].get("category", "") + + # Get best usage example + usage = "" + if t["sources"]["for610"].get("covered"): + usages = t["sources"]["for610"].get("typical_usage", []) + if usages: + usage = usages[0] + if not usage: + usage = f"{name} --help" + usage = usage.replace("|", " ").strip() + + tier = t.get("help_tier", "stub") + + lines.append(f"{name}|{desc}|{cat}|{usage}|{tier}") + + lines.sort() + + with open(output_path, "w") as f: + f.write("\n".join(lines) + "\n") + + print(f" tools.db: {len(lines)} entries") + return len(lines) + + +# ============================================================ +# Cheatsheet generator +# ============================================================ + +def sanitize_filename(name): + """Convert tool name to a safe filename.""" + return re.sub(r'[^a-zA-Z0-9._-]', '-', name).strip('-').lower() + + +def generate_usage_comment(name, usage, index): + """Generate a descriptive comment for a usage example.""" + # Analyze the command to produce a meaningful description + usage_lower = usage.lower() + + if index == 0: + return f"Basic usage" + + # Try to describe based on flags + if "-vv" in usage or "--verbose" in usage: + return "Verbose output with details" + if "--no-static" in usage or "--no static" in usage: + return "Skip static analysis, focus on dynamic" + if "-n " in usage: + return "Suppress default output" + if "-a " in usage or "--all" in usage: + return "Show all results" + if "-s " in usage: + return "Select specific item" + if "-d " in usage: + return "Dump/extract content" + if "-r " in usage: + return "Recursive/follow references" + if "-k " in usage: + return "Extract by keyword" + if "-o " in usage: + return "Output to file" + if "-f " in usage: + return "Process input file" + if "-i " in usage: + return "Case-insensitive search" + if "grep" in usage_lower: + return "Filter output for specific pattern" + if "--help" in usage: + return "Show help" + if "|" in usage: + return "Pipe output for processing" + if ">" in usage: + return "Save output to file" + + return f"Alternative usage" + + +def format_recipes_section(tool_id, recipe_index): + """Generate the recipes section for a cheatsheet.""" + recipes = recipe_index.get(tool_id, []) + if not recipes: + # Try variants + for variant in [tool_id.replace("-py", ""), tool_id.replace("-", "")]: + recipes = recipe_index.get(variant, []) + if recipes: + break + if not recipes: + return "" + + # Deduplicate recipes by id + seen = set() + unique = [] + for r in recipes: + if r["id"] not in seen: + seen.add(r["id"]) + unique.append(r) + + lines = [ + "", + "# --- Recipes (multi-tool chains) ---", + "", + ] + for recipe in unique: + lines.append(f"# >> {recipe['name']}") + for cmd in recipe.get("commands", []): + lines.append(cmd) + lines.append("") + + return "\n".join(lines) + + +def generate_cheatsheet_rich(t, recipe_index=None): + """Generate a rich cheatsheet for a tool with FOR610 coverage.""" + f610 = t["sources"]["for610"] + name = t["name"] + desc = t.get("description", "") + labs = f610.get("labs", []) + sections = f610.get("sections", []) + tags = f610.get("tags", []) + usages = f610.get("typical_usage", []) + author = f610.get("author", "") + + lines = [ + f"# {name}", + f"# {desc}", + ] + + meta_parts = [] + if labs: + meta_parts.append(f"FOR610 Labs: {', '.join(labs)}") + if sections: + meta_parts.append(f"Sections: {', '.join(str(s) for s in sections)}") + if author: + meta_parts.append(f"Author: {author}") + if meta_parts: + lines.append(f"# {' | '.join(meta_parts)}") + + # REMnux docs URL if available + if t["sources"]["remnux_docs"].get("covered"): + url = t["sources"]["remnux_docs"].get("docs_url", "") + if url: + lines.append(f"# Docs: {url}") + + lines.append("") + + # Tags + tag_str = ", ".join(tags[:8]) if tags else name.lower() + lines.append(f"% {tag_str}") + lines.append("") + + # Usage examples with descriptive comments + for i, usage in enumerate(usages): + comment = generate_usage_comment(name, usage, i) + lines.append(f"# {comment}") + lines.append(usage) + lines.append("") + + # If no usage examples, add a basic one + if not usages: + lines.append(f"# Show help") + lines.append(f"{name} --help") + lines.append("") + + # Append recipes section if this tool participates in any recipes + if recipe_index: + recipes_text = format_recipes_section(t["id"], recipe_index) + if recipes_text: + lines.append(recipes_text) + + return "\n".join(lines) + + +def generate_cheatsheet_standard(t): + """Generate a standard cheatsheet from REMnux docs.""" + rdocs = t["sources"]["remnux_docs"] + name = t["name"] + desc = t.get("description", "") or rdocs.get("description", "") + cat = rdocs.get("category", "") + url = rdocs.get("docs_url", "") + + lines = [ + f"# {name}", + f"# {desc}" if desc else f"# {name} tool", + ] + if cat: + lines.append(f"# Category: {cat}") + if url: + lines.append(f"# Docs: {url}") + + lines += [ + "", + f"% {sanitize_filename(name)}", + "", + f"# Show help for {name}", + f"{name} --help", + "", + ] + + return "\n".join(lines) + + +def generate_cheatsheet_basic(t): + """Generate a minimal cheatsheet for a tool with only salt-states.""" + name = t["name"] + salt = t["sources"]["salt_states"] + install = salt.get("install_method", "unknown") + pkg = salt.get("package_name", name) + + lines = [ + f"# {name}", + f"# Installed via: {install} ({pkg})", + "", + f"% {sanitize_filename(name)}", + "", + f"# Show help for {name}", + f"{name} --help", + "", + ] + + return "\n".join(lines) + + +def generate_cheatsheets(tools, recipe_index=None): + """Generate per-tool cheatsheet files.""" + cheat_dir = os.path.join(GEN_DIR, "cheatsheets") + os.makedirs(cheat_dir, exist_ok=True) + + count = 0 + for t in tools: + if not t.get("in_remnux"): + continue + + tier = t.get("help_tier", "stub") + name = t["name"] + filename = sanitize_filename(name) + ".cheat" + + if tier == "rich": + content = generate_cheatsheet_rich(t, recipe_index=recipe_index) + elif tier == "standard": + content = generate_cheatsheet_standard(t) + else: + content = generate_cheatsheet_basic(t) + + with open(os.path.join(cheat_dir, filename), "w") as f: + f.write(content) + count += 1 + + print(f" cheatsheets: {count} .cheat files") + return count + + +# ============================================================ +# Workflow generator +# ============================================================ + +def _get_tool_examples(tool_name, master_tools_by_name): + """Get 1-2 example commands for a tool from the master inventory.""" + tool = master_tools_by_name.get(tool_name) + if not tool: + # Try kebab-case lookup + normalized = tool_name.lower().replace("_", "-") + tool = master_tools_by_name.get(normalized) + if tool and tool["sources"]["for610"].get("covered"): + usages = tool["sources"]["for610"].get("typical_usage", []) + return usages[:2] + return [] + + +def generate_workflows(workflows_data, master_tools=None): + """Generate readable workflow help files with inline examples.""" + wf_dir = os.path.join(GEN_DIR, "workflows") + os.makedirs(wf_dir, exist_ok=True) + + # Build tool name lookup for inline examples + tools_by_name = {} + if master_tools: + for t in master_tools: + tools_by_name[t["name"].lower()] = t + tools_by_name[t["id"]] = t + for alias in t.get("aliases", []): + tools_by_name[alias.lower()] = t + + workflows = workflows_data.get("workflows", []) + count = 0 + + for wf in workflows: + wf_id = wf["id"] + name = wf["name"] + desc = wf.get("description", "") + steps = wf.get("steps", []) + related_labs = wf.get("related_labs", []) + + lines = [ + f"{'='*60}", + f" {name}", + f"{'='*60}", + "", + f" {desc}", + "", + ] + + if related_labs: + lines.append(f" Related FOR610 Labs: {', '.join(related_labs)}") + lines.append("") + + lines.append(f"{'─'*60}") + lines.append("") + + for step in steps: + order = step.get("order", "?") + step_name = step.get("name", "") + step_desc = step.get("description", "") + step_tools = step.get("tools", []) + + lines.append(f" Step {order}: {step_name}") + if step_tools: + lines.append(f" Tools: {', '.join(step_tools)}") + if step_desc: + wrapped = textwrap.fill(step_desc, width=56, initial_indent=" ", subsequent_indent=" ") + lines.append(wrapped) + + # Add inline command examples for each tool + if step_tools and tools_by_name: + examples_shown = False + for tool_name in step_tools: + examples = _get_tool_examples(tool_name, tools_by_name) + if examples: + if not examples_shown: + lines.append("") + for ex in examples[:1]: # Show 1 example per tool + lines.append(f" $ {ex}") + examples_shown = True + + lines.append("") + + lines.append(f"{'─'*60}") + lines.append(f" Tip: 'fhelp cheat ' for full examples") + lines.append(f" 'Ctrl+G' for interactive cheatsheet browser") + lines.append("") + + filename = wf_id.replace("_", "-") + ".txt" + with open(os.path.join(wf_dir, filename), "w") as f: + f.write("\n".join(lines)) + count += 1 + + # Also generate an index file + index_lines = [ + f"{'='*60}", + f" Available Analysis Workflows", + f"{'='*60}", + "", + ] + for wf in workflows: + wf_id = wf["id"].replace("_", "-") + name = wf["name"] + desc = wf.get("description", "") + index_lines.append(f" {wf_id}") + index_lines.append(f" {name}") + wrapped = textwrap.fill(desc, width=56, initial_indent=" ", subsequent_indent=" ") + index_lines.append(wrapped) + index_lines.append("") + + index_lines += [ + f"{'─'*60}", + f" Usage: fhelp workflow ", + f" Example: fhelp workflow static-analysis", + "", + ] + + with open(os.path.join(wf_dir, "index.txt"), "w") as f: + f.write("\n".join(index_lines)) + + print(f" workflows: {count} workflow files + index") + return count + + +# ============================================================ +# TLDR generator +# ============================================================ + +def generate_tldr(tools): + """Generate TLDR pages for tools missing from upstream.""" + tldr_dir = os.path.join(GEN_DIR, "tldr") + os.makedirs(tldr_dir, exist_ok=True) + + count = 0 + for t in tools: + if not t.get("in_remnux"): + continue + + tier = t.get("help_tier", "stub") + if tier not in ("rich", "standard"): + continue + + name = t["name"] + desc = t.get("description", "") or f"{name} tool" + + # Get usage examples + usages = [] + if t["sources"]["for610"].get("covered"): + usages = t["sources"]["for610"].get("typical_usage", []) + + if not usages: + usages = [f"{name} --help"] + + # TLDR format + lines = [ + f"# {name}", + "", + f"> {desc}", + "", + ] + + for i, usage in enumerate(usages[:4]): + # Create a description from the command + lines.append(f"- Run {name}:") + lines.append("") + lines.append(f"`{usage}`") + lines.append("") + + filename = sanitize_filename(name) + ".md" + with open(os.path.join(tldr_dir, filename), "w") as f: + f.write("\n".join(lines)) + count += 1 + + print(f" tldr: {count} pages") + return count + + +# ============================================================ +# Main +# ============================================================ + +def main(): + print("Generating help artifacts from master inventory...") + + master = load_master() + tools = master["tools"] + workflows_data = load_workflows() + recipes_data = load_recipes() + recipe_index = build_recipe_index(recipes_data) + + print(f"\nInput: {len(tools)} tools, {len(workflows_data.get('workflows', []))} workflows, {len(recipes_data.get('recipes', []))} recipes") + print() + + db_count = generate_tools_db(tools) + cheat_count = generate_cheatsheets(tools, recipe_index=recipe_index) + wf_count = generate_workflows(workflows_data, master_tools=tools) + tldr_count = generate_tldr(tools) + + print(f"\nAll artifacts generated in {GEN_DIR}/") + print(f" tools.db: {db_count} entries") + print(f" cheatsheets/: {cheat_count} files") + print(f" workflows/: {wf_count} + index") + print(f" tldr/: {tldr_count} pages") + + +if __name__ == "__main__": + main() diff --git a/scripts/parse-salt-states.py b/scripts/parse-salt-states.py new file mode 100644 index 0000000..73cb37b --- /dev/null +++ b/scripts/parse-salt-states.py @@ -0,0 +1,202 @@ +#!/usr/bin/env python3 +"""Parse REMnux salt-states repository to extract all installed tools/packages. + +Fetches the salt-states repo tree from GitHub, parses .sls files to identify +what gets installed, and outputs data/remnux/sources/salt-states.yaml. +""" + +import json +import re +import urllib.request +import yaml +import os + +GITHUB_API = "https://api.github.com/repos/REMnux/salt-states" +RAW_BASE = "https://raw.githubusercontent.com/REMnux/salt-states/master" +OUTPUT_PATH = os.path.join(os.path.dirname(__file__), "..", "data", "remnux", "sources", "salt-states.yaml") + + +def fetch_json(url): + req = urllib.request.Request(url, headers={"User-Agent": "remnux-tool-parser"}) + with urllib.request.urlopen(req, timeout=30) as resp: + return json.loads(resp.read().decode()) + + +def fetch_text(url): + req = urllib.request.Request(url, headers={"User-Agent": "remnux-tool-parser"}) + try: + with urllib.request.urlopen(req, timeout=30) as resp: + return resp.read().decode() + except Exception as e: + print(f" Warning: could not fetch {url}: {e}") + return None + + +def get_sls_files(): + """Get all .sls file paths from the repo.""" + tree = fetch_json(f"{GITHUB_API}/git/trees/master?recursive=1") + return [item["path"] for item in tree["tree"] + if item["path"].endswith(".sls") and item["type"] == "blob"] + + +def classify_sls_path(path): + """Classify the install method from the directory structure.""" + parts = path.lower() + if "python3-package" in parts or "python-package" in parts: + return "pip" + elif "pip" in parts: + return "pip" + elif "rubygem" in parts: + return "gem" + elif "npm" in parts or "node" in parts: + return "npm" + elif "perl-package" in parts: + return "perl" + elif "package" in parts: + return "apt" + elif "tools" in parts: + return "manual" + elif "script" in parts: + return "script" + else: + return "unknown" + + +def extract_tool_name_from_path(path): + """Extract a human-readable tool name from the .sls file path.""" + basename = os.path.basename(path).replace(".sls", "") + # Skip non-tool files + skip = {"init", "addon", "cloud", "dedicated", "theme", "remnux-config", + "apt-transport-https", "packages", "python3-packages", "python-packages", + "rubygems", "perl-packages", "node-packages", "tools", "scripts"} + if basename in skip: + return None + return basename + + +def parse_sls_content(content, path): + """Parse a .sls file and extract package/tool information.""" + if not content: + return [] + + results = [] + tool_name = extract_tool_name_from_path(path) + if not tool_name: + return [] + + install_method = classify_sls_path(path) + + # Try to find the actual package name from the content + package_names = [] + + # Match pip.installed, pkg.installed, gem.installed, npm.installed + for match in re.finditer(r'(\w[\w.-]+):\s*\n\s+(?:pip|pkg|gem|npm)\.installed', content): + package_names.append(match.group(1)) + + # Match "- name: package_name" in pip/pkg states + for match in re.finditer(r'-\s+name:\s+([^\s#\n]+)', content): + name = match.group(1).strip("'\"") + if name and not name.startswith('{') and not name.startswith('/'): + package_names.append(name) + + # Match wget/curl downloads (manual installs) + for match in re.finditer(r'(?:wget|curl)\s+.*?/([^/\s"]+?)(?:\s|"|$)', content): + fname = match.group(1) + if '.' in fname and not fname.endswith('.key'): + package_names.append(fname) + + # Match file.managed targets (scripts/binaries being deployed) + for match in re.finditer(r'/usr/local/bin/([^:\s]+)', content): + package_names.append(match.group(1)) + + # Deduplicate and clean + seen = set() + clean_names = [] + for n in package_names: + n = n.strip().strip("'\"") + if n and n.lower() not in seen and len(n) > 1: + seen.add(n.lower()) + clean_names.append(n) + + entry = { + "id": tool_name, + "package_names": clean_names if clean_names else [tool_name], + "install_method": install_method, + "salt_state_path": path, + } + + # Try to detect if it's enabled/disabled + if "False" in content and ("onlyif" in content.lower() or "unless" in content.lower()): + entry["possibly_conditional"] = True + + results.append(entry) + return results + + +def main(): + print("Fetching salt-states repository tree...") + sls_files = get_sls_files() + print(f"Found {len(sls_files)} .sls files") + + # Filter to relevant paths (skip top-level orchestration files) + relevant = [f for f in sls_files if f.startswith("remnux/")] + print(f" {len(relevant)} under remnux/") + + all_tools = [] + categories_seen = set() + + for i, path in enumerate(relevant): + if i % 20 == 0: + print(f" Processing {i}/{len(relevant)}...") + + # Derive category from path + parts = path.split("/") + if len(parts) >= 3: + category_dir = parts[1] # e.g., "python3-packages", "tools", "packages" + categories_seen.add(category_dir) + + content = fetch_text(f"{RAW_BASE}/{path}") + tools = parse_sls_content(content, path) + all_tools.extend(tools) + + # Deduplicate by id + seen_ids = set() + unique_tools = [] + for t in all_tools: + if t["id"] not in seen_ids: + seen_ids.add(t["id"]) + unique_tools.append(t) + + # Sort by id + unique_tools.sort(key=lambda t: t["id"]) + + output = { + "metadata": { + "source": "https://github.com/REMnux/salt-states", + "branch": "master", + "total_sls_files": len(relevant), + "total_tools_extracted": len(unique_tools), + "install_method_counts": {}, + "salt_directories": sorted(categories_seen), + }, + "tools": unique_tools, + } + + # Count install methods + for t in unique_tools: + m = t["install_method"] + output["metadata"]["install_method_counts"][m] = \ + output["metadata"]["install_method_counts"].get(m, 0) + 1 + + os.makedirs(os.path.dirname(OUTPUT_PATH), exist_ok=True) + with open(OUTPUT_PATH, "w") as f: + yaml.dump(output, f, default_flow_style=False, sort_keys=False, allow_unicode=True) + + print(f"\nDone! Extracted {len(unique_tools)} tools") + for method, count in sorted(output["metadata"]["install_method_counts"].items()): + print(f" {method}: {count}") + print(f"Output: {OUTPUT_PATH}") + + +if __name__ == "__main__": + main() diff --git a/scripts/scrape-remnux-docs.py b/scripts/scrape-remnux-docs.py new file mode 100644 index 0000000..0fa05cb --- /dev/null +++ b/scripts/scrape-remnux-docs.py @@ -0,0 +1,226 @@ +#!/usr/bin/env python3 +"""Scrape REMnux documentation to extract all documented tools. + +Fetches docs.remnux.org tool listing pages and extracts tool names, +descriptions, categories, and URLs. Outputs data/remnux/sources/remnux-docs.yaml. +""" + +import re +import urllib.request +import yaml +import os +import time + +BASE_URL = "https://docs.remnux.org/discover-the-tools" +OUTPUT_PATH = os.path.join(os.path.dirname(__file__), "..", "data", "remnux", "sources", "remnux-docs.yaml") + +# All known category pages from docs.remnux.org +CATEGORY_PAGES = [ + # Examine Static Properties + ("Examine Static Properties > General", "examine+static+properties/general"), + ("Examine Static Properties > PE Files", "examine+static+properties/pe-files"), + ("Examine Static Properties > ELF Files", "examine+static+properties/elf-files"), + ("Examine Static Properties > .NET", "examine+static+properties/.net"), + ("Examine Static Properties > Go", "examine+static+properties/go"), + ("Examine Static Properties > Deobfuscation", "examine+static+properties/deobfuscation"), + # Statically Analyze Code + ("Statically Analyze Code > General", "statically+analyze+code/general"), + ("Statically Analyze Code > Unpacking", "statically+analyze+code/unpacking"), + ("Statically Analyze Code > PE Files", "statically+analyze+code/pe-files"), + ("Statically Analyze Code > Python", "statically+analyze+code/python"), + ("Statically Analyze Code > Scripts", "statically+analyze+code/scripts"), + ("Statically Analyze Code > Java", "statically+analyze+code/java"), + ("Statically Analyze Code > .NET", "statically+analyze+code/.net"), + ("Statically Analyze Code > Android", "statically+analyze+code/android"), + # Dynamically Reverse-Engineer Code + ("Dynamically Reverse-Engineer Code > General", "dynamically+reverse-engineer+code/general"), + ("Dynamically Reverse-Engineer Code > Shellcode", "dynamically+reverse-engineer+code/shellcode"), + ("Dynamically Reverse-Engineer Code > Scripts", "dynamically+reverse-engineer+code/scripts"), + ("Dynamically Reverse-Engineer Code > ELF Files", "dynamically+reverse-engineer+code/elf-files"), + # Memory Forensics + ("Perform Memory Forensics", "perform+memory+forensics"), + # Network Interactions + ("Explore Network Interactions > Monitoring", "explore+network+interactions/monitoring"), + ("Explore Network Interactions > Connecting", "explore+network+interactions/connecting"), + ("Explore Network Interactions > Services", "explore+network+interactions/services"), + # System Interactions + ("Investigate System Interactions", "investigate+system+interactions"), + # Documents + ("Analyze Documents > General", "analyze+documents/general"), + ("Analyze Documents > PDF", "analyze+documents/pdf"), + ("Analyze Documents > Microsoft Office", "analyze+documents/microsoft+office"), + ("Analyze Documents > Email Messages", "analyze+documents/email+messages"), + # AI + ("Use Artificial Intelligence", "use+artificial+intelligence"), + # Data + ("Gather and Analyze Data", "gather+and+analyze+data"), + # View/Edit + ("View or Edit Files", "view+or+edit+files"), + # Utilities + ("General Utilities", "general+utilities"), +] + + +def fetch_page(url): + """Fetch a page and return its text content.""" + req = urllib.request.Request(url, headers={ + "User-Agent": "Mozilla/5.0 (remnux-doc-scraper)", + "Accept": "text/html,application/xhtml+xml", + }) + try: + with urllib.request.urlopen(req, timeout=30) as resp: + return resp.read().decode("utf-8", errors="replace") + except Exception as e: + print(f" Warning: could not fetch {url}: {e}") + return None + + +def normalize_id(name): + """Convert tool name to a normalized kebab-case ID.""" + # Remove .py suffix for ID, keep display name + n = name.lower().strip() + n = re.sub(r'\.py$', '-py', n) + n = re.sub(r'\.pl$', '-pl', n) + n = re.sub(r'\.bat$', '-bat', n) + n = re.sub(r'[^a-z0-9]+', '-', n) + n = n.strip('-') + return n + + +def extract_tools_from_html(html, category, category_path): + """Extract tool entries from a docs page HTML.""" + tools = [] + + # GitBook pages use specific patterns for tool headings + # Pattern 1:

or

headings with tool names + # Pattern 2: Bold text followed by description + # The docs use a pattern like: **Tool Name** description text + + # Try to find tool sections - GitBook uses specific div/section patterns + # Look for heading patterns with tool names + heading_pattern = re.compile( + r']*id="([^"]*)"[^>]*>.*?]*>.*?\s*(.*?)\s*', + re.DOTALL | re.IGNORECASE + ) + + # Also try plain text patterns + # GitBook often renders as: tool-name followed by description + bold_pattern = re.compile( + r'(.*?)\s*[-:]\s*(.*?)(?=<(?:br|p|div|strong|h[23])|$)', + re.DOTALL | re.IGNORECASE + ) + + # Find headings first + for match in heading_pattern.finditer(html): + anchor_id = match.group(1) + heading_text = re.sub(r'<[^>]+>', '', match.group(2)).strip() + if heading_text and len(heading_text) < 80: + # Get description from content after heading + pos = match.end() + desc_chunk = html[pos:pos+500] + desc_chunk = re.sub(r'<[^>]+>', ' ', desc_chunk) + desc_chunk = re.sub(r'\s+', ' ', desc_chunk).strip() + # Take first sentence + desc = desc_chunk.split('.')[0].strip() + '.' if desc_chunk else "" + if len(desc) > 200: + desc = desc[:197] + "..." + + # Try to find website URL near this section + website_chunk = html[pos:pos+2000] + website_match = re.search(r'href="(https?://(?!docs\.remnux)[^"]+)"', website_chunk) + website = website_match.group(1) if website_match else "" + + tool = { + "name": heading_text, + "id": normalize_id(heading_text), + "category": category, + "category_path": category_path, + "description": desc, + "docs_url": f"{BASE_URL}/{category_path}", + "anchor": anchor_id, + } + if website: + tool["website"] = website + tools.append(tool) + + # If we got nothing from headings, try the bold pattern + if not tools: + for match in bold_pattern.finditer(html): + name = re.sub(r'<[^>]+>', '', match.group(1)).strip() + desc = re.sub(r'<[^>]+>', ' ', match.group(2)).strip() + desc = re.sub(r'\s+', ' ', desc).strip() + if name and len(name) < 80 and len(name) > 1: + if len(desc) > 200: + desc = desc[:197] + "..." + tools.append({ + "name": name, + "id": normalize_id(name), + "category": category, + "category_path": category_path, + "description": desc, + "docs_url": f"{BASE_URL}/{category_path}", + }) + + return tools + + +def main(): + print("Scraping REMnux documentation...") + all_tools = [] + + for category, path in CATEGORY_PAGES: + url = f"{BASE_URL}/{path}" + print(f" Fetching: {category}") + html = fetch_page(url) + + if not html: + print(f" Skipped (fetch failed)") + continue + + tools = extract_tools_from_html(html, category, path) + print(f" Found {len(tools)} tools") + all_tools.extend(tools) + + time.sleep(0.3) # Be polite + + # Deduplicate by id (same tool can appear in multiple categories) + seen = {} + for t in all_tools: + tid = t["id"] + if tid not in seen: + seen[tid] = t + else: + # Tool appears in multiple categories - track both + existing = seen[tid] + if "additional_categories" not in existing: + existing["additional_categories"] = [] + existing["additional_categories"].append(t["category"]) + + unique_tools = sorted(seen.values(), key=lambda t: t["id"]) + + output = { + "metadata": { + "source": "https://docs.remnux.org/discover-the-tools", + "categories_scraped": len(CATEGORY_PAGES), + "total_tools_extracted": len(unique_tools), + "category_counts": {}, + }, + "tools": unique_tools, + } + + # Count per category + for t in all_tools: + cat = t["category"] + output["metadata"]["category_counts"][cat] = \ + output["metadata"]["category_counts"].get(cat, 0) + 1 + + os.makedirs(os.path.dirname(OUTPUT_PATH), exist_ok=True) + with open(OUTPUT_PATH, "w") as f: + yaml.dump(output, f, default_flow_style=False, sort_keys=False, allow_unicode=True) + + print(f"\nDone! Extracted {len(unique_tools)} unique tools from {len(CATEGORY_PAGES)} category pages") + print(f"Output: {OUTPUT_PATH}") + + +if __name__ == "__main__": + main() diff --git a/scripts/verify-help-quality.py b/scripts/verify-help-quality.py new file mode 100644 index 0000000..f9b0198 --- /dev/null +++ b/scripts/verify-help-quality.py @@ -0,0 +1,360 @@ +#!/usr/bin/env python3 +"""Comprehensive verification of generated help artifacts. + +Tests: +1. All FOR610 tools with in_remnux=true have cheatsheets +2. All cheatsheet content matches researched data +3. All workflows are generated and contain correct tool references +4. tools.db entries match master inventory +5. No orphaned references (tools in labs but missing from master) +6. Rich-tier cheatsheets have usage examples from FOR610 +7. REMnux docs tools have correct descriptions +""" + +import os +import sys +import yaml +import glob + +BASE_DIR = os.path.join(os.path.dirname(__file__), "..") + +def load_yaml(path): + with open(path) as f: + return yaml.safe_load(f) + + +def test_master_inventory(): + """Verify master inventory integrity.""" + print("=" * 60) + print("TEST 1: Master Inventory Integrity") + print("=" * 60) + errors = [] + + master = load_yaml(os.path.join(BASE_DIR, "data/remnux/tools-master.yaml")) + tools = master["tools"] + + # Check all tools have required fields + for t in tools: + tid = t.get("id", "MISSING") + if not t.get("id"): + errors.append(f"Tool missing id: {t}") + if not t.get("name"): + errors.append(f"Tool {tid} missing name") + if "sources" not in t: + errors.append(f"Tool {tid} missing sources") + if "help_tier" not in t: + errors.append(f"Tool {tid} missing help_tier") + + # Check no duplicate IDs + ids = [t["id"] for t in tools] + dupes = [x for x in ids if ids.count(x) > 1] + if dupes: + errors.append(f"Duplicate IDs: {set(dupes)}") + + print(f" Total tools: {len(tools)}") + print(f" Errors: {len(errors)}") + for e in errors[:10]: + print(f" ! {e}") + return errors + + +def test_for610_coverage(): + """Verify all FOR610 in_remnux tools appear in master and have cheatsheets.""" + print("\n" + "=" * 60) + print("TEST 2: FOR610 Tool Coverage") + print("=" * 60) + errors = [] + + for610 = load_yaml(os.path.join(BASE_DIR, "data/for610/tools.yaml")) + master = load_yaml(os.path.join(BASE_DIR, "data/remnux/tools-master.yaml")) + master_ids = {t["id"] for t in master["tools"]} + + cheat_dir = os.path.join(BASE_DIR, "data/generated/cheatsheets") + cheat_files = {os.path.basename(f).replace(".cheat", "") + for f in glob.glob(os.path.join(cheat_dir, "*.cheat"))} + + for610_remnux = [t for t in for610["tools"] if t.get("in_remnux")] + for610_all = for610["tools"] + + # Check all FOR610 in_remnux tools are in master + missing_from_master = [] + for t in for610_remnux: + if t["id"] not in master_ids: + missing_from_master.append(t["id"]) + errors.append(f"FOR610 tool '{t['id']}' ({t['name']}) not in master inventory") + + # Check all FOR610 in_remnux tools have cheatsheets + missing_cheats = [] + for t in for610_remnux: + name_variants = [ + t["name"].lower().replace(" ", "-"), + t["id"], + t["name"].lower(), + ] + found = False + for v in name_variants: + if v in cheat_files: + found = True + break + if not found: + missing_cheats.append(t["name"]) + + # Check rich-tier cheatsheets have usage examples + rich_without_examples = [] + for t in for610_remnux: + usages = t.get("typical_usage", []) + cheat_path = os.path.join(cheat_dir, t["name"].lower().replace(" ", "-") + ".cheat") + if not os.path.exists(cheat_path): + cheat_path = os.path.join(cheat_dir, t["id"] + ".cheat") + if os.path.exists(cheat_path): + content = open(cheat_path).read() + if usages and not any(u in content for u in usages[:1]): + rich_without_examples.append(t["name"]) + + print(f" FOR610 tools (all): {len(for610_all)}") + print(f" FOR610 in REMnux: {len(for610_remnux)}") + print(f" Missing from master: {len(missing_from_master)}") + print(f" Missing cheatsheets: {len(missing_cheats)}") + if missing_cheats: + for m in missing_cheats[:5]: + print(f" ! {m}") + print(f" Rich without examples: {len(rich_without_examples)}") + if rich_without_examples: + for m in rich_without_examples[:5]: + print(f" ! {m}") + print(f" Errors: {len(errors)}") + return errors + + +def test_tools_db(): + """Verify tools.db matches master inventory.""" + print("\n" + "=" * 60) + print("TEST 3: tools.db Consistency") + print("=" * 60) + errors = [] + + master = load_yaml(os.path.join(BASE_DIR, "data/remnux/tools-master.yaml")) + remnux_tools = {t["name"]: t for t in master["tools"] if t.get("in_remnux")} + + db_path = os.path.join(BASE_DIR, "data/generated/tools.db") + db_entries = {} + with open(db_path) as f: + for line in f: + line = line.strip() + if not line: + continue + parts = line.split("|") + if len(parts) >= 5: + db_entries[parts[0]] = { + "name": parts[0], + "description": parts[1], + "category": parts[2], + "usage": parts[3], + "tier": parts[4], + } + + # Check all REMnux tools are in DB + missing_from_db = [] + for name, tool in remnux_tools.items(): + if name not in db_entries: + missing_from_db.append(name) + + # Check no empty descriptions + empty_descs = [e["name"] for e in db_entries.values() + if e["description"] == "(no description available)"] + + # Check tier consistency + tier_mismatches = [] + for name, entry in db_entries.items(): + if name in remnux_tools: + expected_tier = remnux_tools[name].get("help_tier", "stub") + if entry["tier"] != expected_tier: + tier_mismatches.append(f"{name}: db={entry['tier']} vs master={expected_tier}") + + print(f" tools.db entries: {len(db_entries)}") + print(f" REMnux tools in master: {len(remnux_tools)}") + print(f" Missing from DB: {len(missing_from_db)}") + if missing_from_db: + for m in missing_from_db[:5]: + print(f" ! {m}") + print(f" Empty descriptions: {len(empty_descs)}") + if empty_descs: + for m in empty_descs[:5]: + print(f" ! {m}") + print(f" Tier mismatches: {len(tier_mismatches)}") + return errors + + +def test_workflows(): + """Verify all workflow files are generated and contain valid tool references.""" + print("\n" + "=" * 60) + print("TEST 4: Workflow Files") + print("=" * 60) + errors = [] + + wf_src = load_yaml(os.path.join(BASE_DIR, "data/for610/workflows.yaml")) + wf_dir = os.path.join(BASE_DIR, "data/generated/workflows") + + expected_workflows = wf_src.get("workflows", []) + generated = glob.glob(os.path.join(wf_dir, "*.txt")) + generated_names = {os.path.basename(f).replace(".txt", "") for f in generated} + + # Check all workflows generated + for wf in expected_workflows: + wf_id = wf["id"].replace("_", "-") + if wf_id not in generated_names: + errors.append(f"Missing workflow file: {wf_id}.txt") + + # Check index file exists + if "index" not in generated_names: + errors.append("Missing workflow index.txt") + + # Check each workflow file has content + for f in generated: + content = open(f).read() + if len(content) < 50: + errors.append(f"Workflow file too short: {os.path.basename(f)}") + + print(f" Expected workflows: {len(expected_workflows)}") + print(f" Generated files: {len(generated)} (including index)") + print(f" Errors: {len(errors)}") + for e in errors: + print(f" ! {e}") + return errors + + +def test_lab_tool_references(): + """Verify all tools referenced in labs exist in master inventory.""" + print("\n" + "=" * 60) + print("TEST 5: Lab-Tool Cross-References") + print("=" * 60) + errors = [] + + labs = load_yaml(os.path.join(BASE_DIR, "data/for610/labs.yaml")) + master = load_yaml(os.path.join(BASE_DIR, "data/remnux/tools-master.yaml")) + master_ids = {t["id"] for t in master["tools"]} + + for610_tools = load_yaml(os.path.join(BASE_DIR, "data/for610/tools.yaml")) + for610_ids = {t["id"] for t in for610_tools["tools"]} + + # Check all tool_ids in labs exist in FOR610 + missing = set() + for lab in labs["labs"]: + for tu in lab.get("tools_used", []): + tid = tu["tool_id"] + if tid not in for610_ids: + missing.add(f"Lab {lab['id']}: tool '{tid}'") + errors.append(f"Lab {lab['id']} references unknown tool: {tid}") + + print(f" Labs: {len(labs['labs'])}") + print(f" Missing tool references: {len(missing)}") + for m in sorted(missing)[:5]: + print(f" ! {m}") + return errors + + +def test_remnux_docs_coverage(): + """Check how many REMnux-documented tools have help content.""" + print("\n" + "=" * 60) + print("TEST 6: REMnux Docs Coverage in Help") + print("=" * 60) + errors = [] + + master = load_yaml(os.path.join(BASE_DIR, "data/remnux/tools-master.yaml")) + cheat_dir = os.path.join(BASE_DIR, "data/generated/cheatsheets") + + docs_tools = [t for t in master["tools"] + if t["sources"]["remnux_docs"].get("covered") and t.get("in_remnux")] + docs_with_cheat = 0 + docs_without_cheat = [] + + for t in docs_tools: + name = t["name"].lower().replace(" ", "-") + variants = [name, t["id"], name + ".cheat"] + found = any(os.path.exists(os.path.join(cheat_dir, v + ".cheat")) for v in [name, t["id"]]) + if found: + docs_with_cheat += 1 + else: + docs_without_cheat.append(t["name"]) + + print(f" REMnux-documented tools: {len(docs_tools)}") + print(f" With cheatsheets: {docs_with_cheat}") + print(f" Without cheatsheets: {len(docs_without_cheat)}") + if docs_without_cheat: + for m in docs_without_cheat[:5]: + print(f" ! {m}") + return errors + + +def test_cheatsheet_quality(): + """Spot-check cheatsheet content for key tools.""" + print("\n" + "=" * 60) + print("TEST 7: Cheatsheet Quality Spot-Checks") + print("=" * 60) + errors = [] + + cheat_dir = os.path.join(BASE_DIR, "data/generated/cheatsheets") + + # Key tools that MUST have good cheatsheets + key_tools = { + "pdfid.py": ["pdfid.py", "document.pdf"], + "pdf-parser.py": ["pdf-parser.py", "-a", "-s"], + "oledump.py": ["oledump.py", "-s", "-v"], + "capa": ["capa", "specimen"], + "speakeasy": ["speakeasy", "-t"], + "ghidra": ["ghidra"], + "wireshark": ["wireshark"], + "floss": ["floss"], + "scdbgc": ["scdbgc", "/f"], + "rtfdump.py": ["rtfdump.py"], + } + + for tool, expected_strings in key_tools.items(): + cheat_path = os.path.join(cheat_dir, tool + ".cheat") + if not os.path.exists(cheat_path): + # Try without .py + alt = tool.replace(".py", "-py") + ".cheat" + cheat_path = os.path.join(cheat_dir, alt) + + if not os.path.exists(cheat_path): + errors.append(f"Key tool {tool} has no cheatsheet") + print(f" ! {tool}: NO CHEATSHEET") + continue + + content = open(cheat_path).read() + missing_strings = [s for s in expected_strings if s not in content] + if missing_strings: + errors.append(f"{tool} cheatsheet missing: {missing_strings}") + print(f" ! {tool}: missing {missing_strings}") + else: + print(f" + {tool}: OK") + + return errors + + +def main(): + all_errors = [] + + all_errors.extend(test_master_inventory()) + all_errors.extend(test_for610_coverage()) + all_errors.extend(test_tools_db()) + all_errors.extend(test_workflows()) + all_errors.extend(test_lab_tool_references()) + all_errors.extend(test_remnux_docs_coverage()) + all_errors.extend(test_cheatsheet_quality()) + + print("\n" + "=" * 60) + print("SUMMARY") + print("=" * 60) + if all_errors: + print(f"\n Total issues found: {len(all_errors)}") + for e in all_errors: + print(f" - {e}") + sys.exit(1) + else: + print(f"\n All tests passed!") + sys.exit(0) + + +if __name__ == "__main__": + main()