Add FOR610 tool/workflow knowledge base and data pipeline

Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00
parent 06ebb09ab0
commit f3ccc09c3d
663 changed files with 36339 additions and 1 deletions
@@ -0,0 +1,18 @@
+# 1768.py
+# Parse Cobalt Strike beacon configuration from shellcode or memory dumps
+# FOR610 Labs: 3.4 | Sections: 3 | Author: Didier Stevens
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
+
+% cobalt-strike, beacon, c2-config, didier-stevens
+
+# Basic usage
+1768.py shellcode.bin
+
+
+# --- Recipes (multi-tool chains) ---
+
+# >> Parse Cobalt Strike Beacon Configuration
+# Scan with YARA for CS signatures
+yara-rules <sample>
+# Extract beacon configuration
+1768.py <sample_or_shellcode.bin>
@@ -0,0 +1,9 @@
+# 7-Zip
+# Compress and decompress files using a variety of algorithms.
+# Category: Examine Static Properties > General
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general
+
+% 7-zip
+
+# Show help for 7-Zip
+7-Zip --help
@@ -0,0 +1,7 @@
+# 7zip
+# Installed via: apt (remnux-packages-p7zip-full)
+
+% 7zip
+
+# Show help for 7zip
+7zip --help
@@ -0,0 +1,7 @@
+# aeskeyfind
+# Installed via: apt (aeskeyfind)
+
+% aeskeyfind
+
+# Show help for aeskeyfind
+aeskeyfind --help
@@ -0,0 +1,9 @@
+# AESKeyFinder
+# Find 128-bit and 256-bit AES keys in a memory image.
+# Category: Perform Memory Forensics
+# Docs: https://docs.remnux.org/discover-the-tools/perform+memory+forensics
+
+% aeskeyfinder
+
+# Show help for AESKeyFinder
+AESKeyFinder --help
@@ -0,0 +1,14 @@
+# androguard
+# Analyze Android APK files — extract permissions, activities, intents, and decompile DEX code
+# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android
+
+% android, apk, permissions, decompilation
+
+# Basic usage
+androguard analyze <app.apk>
+
+# Output to file
+androguard decompile -o output/ <app.apk>
+
+# Save output to file
+androgui.py <app.apk>
@@ -0,0 +1,7 @@
+# android-project-creator
+# Installed via: unknown (android-project-creator)
+
+% android-project-creator
+
+# Show help for android-project-creator
+android-project-creator --help
@@ -0,0 +1,9 @@
+# AndroidProjectCreator
+# Convert an Android APK application file into an Android Studio project for easier analysis.
+# Category: Statically Analyze Code > Android
+# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android
+
+% androidprojectcreator
+
+# Show help for AndroidProjectCreator
+AndroidProjectCreator --help
@@ -0,0 +1,9 @@
+# anomy
+# A wrapper around wget, ssh, sftp, ftp, and telnet to route these connections through Tor to anonymize your traffic.
+# Category: Explore Network Interactions > Connecting
+# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting
+
+% anomy
+
+# Show help for anomy
+anomy --help
@@ -0,0 +1,9 @@
+# apkid
+# Identify compilers, packers, and obfuscators used to protect Android APK and DEX files.
+# Category: Statically Analyze Code > Android
+# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android
+
+% apkid
+
+# Show help for apkid
+apkid --help
@@ -0,0 +1,24 @@
+# apktool
+# Decompile and recompile Android APK files — extract resources, smali code, and manifest
+# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android
+
+% android, apk, decompilation, resources
+
+# Basic usage
+apktool d <app.apk> -o output/
+
+# Output to file
+apktool b output/ -o rebuilt.apk
+
+
+# --- Recipes (multi-tool chains) ---
+
+# >> Quick APK Triage
+# Check for packers/obfuscators
+apkid <app.apk>
+# Decompile to smali + resources
+apktool d <app.apk> -o output/
+# Check permissions
+grep 'uses-permission' output/AndroidManifest.xml
+# Decompile to Java source
+jadx <app.apk> -d src/
@@ -0,0 +1,7 @@
+# apt-utils
+# Installed via: apt (apt-utils)
+
+% apt-utils
+
+# Show help for apt-utils
+apt-utils --help
@@ -0,0 +1,7 @@
+# archive-zip
+# Installed via: perl (cpan)
+
+% archive-zip
+
+# Show help for archive-zip
+archive-zip --help
@@ -0,0 +1,7 @@
+# autoconf
+# Installed via: apt (autoconf)
+
+% autoconf
+
+# Show help for autoconf
+autoconf --help
@@ -0,0 +1,9 @@
+# autoit-ripper
+# Extract AutoIt scripts embedded in PE binaries.
+# Category: Statically Analyze Code > Scripts
+# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts
+
+% autoit-ripper
+
+# Show help for autoit-ripper
+autoit-ripper --help
@@ -0,0 +1,7 @@
+# autologin
+# Installed via: unknown (autologin)
+
+% autologin
+
+# Show help for autologin
+autologin --help
@@ -0,0 +1,7 @@
+# automake
+# Installed via: apt (automake)
+
+% automake
+
+# Show help for automake
+automake --help
@@ -0,0 +1,9 @@
+# baksmali
+# Disassembler for the dex format used by Dalvik, Android&#x27;s Java VM implementation.
+# Category: Statically Analyze Code > Android
+# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android
+
+% baksmali
+
+# Show help for baksmali
+baksmali --help
@@ -0,0 +1,9 @@
+# balbuzard
+# Extract and deobfuscate patterns from suspicious files.
+# Category: Examine Static Properties > Deobfuscation
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
+
+% balbuzard
+
+# Show help for balbuzard
+balbuzard --help
@@ -0,0 +1,53 @@
+# base64dump.py
+# Extract and decode Base64-encoded strings from files
+# FOR610 Labs: 3.4, 4.5 | Sections: 3, 4 | Author: Didier Stevens
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
+
+% base64, decoding, didier-stevens
+
+# Basic usage
+base64dump.py file.txt
+
+# Suppress default output
+base64dump.py file.ps1 -n 10
+
+# Select specific item
+base64dump.py file.ps1 -s 2 -d
+
+
+# --- Recipes (multi-tool chains) ---
+
+# >> Extract Base64 PowerShell from Office Macro
+# List streams — find macro (M) and data streams
+oledump.py <document>
+# Extract VBA source to understand what the macro does
+oledump.py <document> -s <macro_stream> -v
+# Scan data stream for Base64 strings
+oledump.py <document> -s <data_stream> -d | base64dump.py -n 10
+# Decode the longest Base64 hit to file
+oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > payload.ps1
+
+# >> Decode Base64 + Gzip Payload
+# Find Base64 strings in the script
+base64dump.py <script.ps1> -n 10
+# Decode Base64 and decompress gzip in one chain
+base64dump.py <script.ps1> -s <selection> -d | gunzip > decoded.ps1
+
+# >> Decode Base64 + XOR Shellcode
+# Find Base64 strings
+base64dump.py <script.ps1> -n 10
+# Decode Base64, then XOR with key
+base64dump.py <script.ps1> -s <selection> -d | translate.py 'byte ^ <key>' > shellcode.bin
+
+# >> Full Office Macro Decode Chain
+# Step 1: List streams and extract VBA
+oledump.py <document>
+oledump.py <document> -s <macro_stream> -v
+# Step 2: Extract Base64 from data stream
+oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > stage1.ps1
+# Step 3: Decode second Base64 layer + decompress
+base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1
+# Step 4: XOR decode the shellcode
+base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin
+# Step 5: Emulate the shellcode
+scdbgc /f shellcode.bin /s -1
@@ -0,0 +1,7 @@
+# bash-history
+# Installed via: unknown (bash-history)
+
+% bash-history
+
+# Show help for bash-history
+bash-history --help
@@ -0,0 +1,7 @@
+# bash-rc
+# Installed via: unknown (bash-rc)
+
+% bash-rc
+
+# Show help for bash-rc
+bash-rc --help
@@ -0,0 +1,23 @@
+# bbcrack
+# Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms
+# FOR610 Labs: 5.2 | Sections: 5
+
+% xor, rol, add, deobfuscation, balbuzard
+
+# Basic usage
+bbcrack -l 1 specimen.dll
+
+
+# --- Recipes (multi-tool chains) ---
+
+# >> Brute-Force XOR Key
+# Quick check for XOR-encoded URLs/PE headers
+XORSearch <file> http:
+# Brute-force single-byte XOR keys
+brxor.py <file>
+# Try XOR, ROL, ADD combinations
+bbcrack -l 1 <file>
+# Guess multi-byte XOR key length and value
+xortool <file>
+# Decode with known key
+xortool-xor -s '<key>' -i <encoded> -o <decoded>
@@ -0,0 +1,7 @@
+# bearparser
+# Installed via: apt (bearparser)
+
+% bearparser
+
+# Show help for bearparser
+bearparser --help
@@ -0,0 +1,9 @@
+# binee (Binary Emulation Environment)
+# Analyze I/O operations of a suspicious PE file by emulating its execution.
+# Category: Statically Analyze Code > PE Files
+# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files
+
+% binee--binary-emulation-environment
+
+# Show help for binee (Binary Emulation Environment)
+binee (Binary Emulation Environment) --help
@@ -0,0 +1,7 @@
+# binee
+# Installed via: unknown (binee)
+
+% binee
+
+# Show help for binee
+binee --help
@@ -0,0 +1,7 @@
+# binutils
+# Installed via: apt (binutils)
+
+% binutils
+
+# Show help for binutils
+binutils --help
@@ -0,0 +1,12 @@
+# binwalk
+# Analyze and extract embedded files and firmware images
+# Sections: 1
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general
+
+% firmware, extraction, embedded-files
+
+# Basic usage
+binwalk firmware.bin
+
+# Alternative usage
+binwalk -e firmware.bin
@@ -0,0 +1,9 @@
+# box-js
+# JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript APIs
+# Sections: 3
+# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts
+
+% javascript, sandbox, emulation
+
+# Basic usage
+box-js --output-dir=/tmp suspicious.js
@@ -0,0 +1,24 @@
+# brxor.py
+# Brute-force XOR key detection for single-byte XOR-encoded strings
+# FOR610 Labs: 5.2 | Sections: 5
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
+
+% xor, brute-force, deobfuscation
+
+# Basic usage
+brxor.py specimen.dll
+
+
+# --- Recipes (multi-tool chains) ---
+
+# >> Brute-Force XOR Key
+# Quick check for XOR-encoded URLs/PE headers
+XORSearch <file> http:
+# Brute-force single-byte XOR keys
+brxor.py <file>
+# Try XOR, ROL, ADD combinations
+bbcrack -l 1 <file>
+# Guess multi-byte XOR key length and value
+xortool <file>
+# Decode with known key
+xortool-xor -s '<key>' -i <encoded> -o <decoded>
@@ -0,0 +1,7 @@
+# build-essential
+# Installed via: apt (build-essential)
+
+% build-essential
+
+# Show help for build-essential
+build-essential --help
@@ -0,0 +1,9 @@
+# bulk-extractor
+# Extract interesting strings from binary files.
+# Category: Examine Static Properties > General
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general
+
+% bulk-extractor
+
+# Show help for bulk-extractor
+bulk-extractor --help
@@ -0,0 +1,7 @@
+# bundler
+# Installed via: apt (bundler)
+
+% bundler
+
+# Show help for bundler
+bundler --help
@@ -0,0 +1,9 @@
+# Burp Suite Community Edition
+# Investigate website interactions using this web proxy.
+# Category: Explore Network Interactions > Monitoring
+# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring
+
+% burp-suite-community-edition
+
+# Show help for Burp Suite Community Edition
+Burp Suite Community Edition --help
@@ -0,0 +1,7 @@
+# burpsuite-community
+# Installed via: apt (remnux-packages-burpsuite-community)
+
+% burpsuite-community
+
+# Show help for burpsuite-community
+burpsuite-community --help
@@ -0,0 +1,9 @@
+# Bytehist
+# Generate byte-usage histograms to visually identify packed or encrypted sections in binaries
+# Sections: 1, 4
+# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking
+
+% pe, entropy, packing-detection, histogram
+
+# Basic usage
+bytehist specimen.exe
@@ -0,0 +1,9 @@
+# cabextract
+# Extract Microsoft cabinet (cab) files.
+# Category: General Utilities
+# Docs: https://docs.remnux.org/discover-the-tools/general+utilities
+
+% cabextract
+
+# Show help for cabextract
+cabextract --help
@@ -0,0 +1,28 @@
+# capa
+# Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog
+# FOR610 Labs: 1.4, 5.4 | Sections: 1, 5
+# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files
+
+% capabilities, mitre-attack, automated-analysis
+
+# Basic usage
+capa specimen.exe
+
+# Verbose output with details
+capa -vv specimen.exe
+
+# Verbose output with details
+capa -vv specimen.exe | grep -A7 'Suspended Process'
+
+
+# --- Recipes (multi-tool chains) ---
+
+# >> Filter Capabilities by Technique
+# Full capabilities report
+capa <sample>
+# Verbose with rule matches
+capa -vv <sample>
+# Filter for specific technique
+capa -vv <sample> | grep -A7 '<technique_name>'
+# Find injection-related capabilities
+capa -vv <sample> | grep -A7 'inject\|hollow\|suspend'
@@ -0,0 +1,9 @@
+# cast
+# Install and manage SaltStack-based Linux distributions.
+# Category: General Utilities
+# Docs: https://docs.remnux.org/discover-the-tools/general+utilities
+
+% cast
+
+# Show help for cast
+cast --help
@@ -0,0 +1,7 @@
+# cffi
+# Installed via: pip (remnux-python3-packages-cffi)
+
+% cffi
+
+# Show help for cffi
+cffi --help
@@ -0,0 +1,11 @@
+# cfr
+# Modern Java decompiler — handles Java 8+ features including lambdas and try-with-resources
+# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/java
+
+% java, decompilation, jar
+
+# Basic usage
+cfr <file.jar> --outputdir output/
+
+# Save output to file
+cfr <file.class>
@@ -0,0 +1,9 @@
+# chepy
+# Decode and otherwise analyze data using this command-line tool and Python library.
+# Category: Examine Static Properties > Deobfuscation
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
+
+% chepy
+
+# Show help for chepy
+chepy --help
@@ -0,0 +1,7 @@
+# clamav-daemon
+# Installed via: apt (clamav-daemon)
+
+% clamav-daemon
+
+# Show help for clamav-daemon
+clamav-daemon --help
@@ -0,0 +1,14 @@
+# ClamAV
+# Open-source antivirus — scan files for known malware signatures
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general
+
+% antivirus, scanning, signatures
+
+# Basic usage
+clamscan <sample>
+
+# Recursive/follow references
+clamscan -r <directory>/
+
+# Alternative usage
+freshclam
@@ -0,0 +1,9 @@
+# Cobalt Strike Configuration Extractor (CSCE) and Parser
+# Analyze Cobalt Strike beacons.
+# Category: Examine Static Properties > Deobfuscation
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
+
+% cobalt-strike-configuration-extractor--csce--and-parser
+
+# Show help for Cobalt Strike Configuration Extractor (CSCE) and Parser
+Cobalt Strike Configuration Extractor (CSCE) and Parser --help
@@ -0,0 +1,7 @@
+# compatibility
+# Installed via: unknown (compatibility)
+
+% compatibility
+
+# Show help for compatibility
+compatibility --help
@@ -0,0 +1,8 @@
+# cs-analyze-processdump.py
+# Analyze Cobalt Strike beacon process dumps for sleep mask encoding
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
+
+% cobalt-strike, sleep-mask, memory
+
+# Basic usage
+cs-analyze-processdump.py <process_dump>
@@ -0,0 +1,8 @@
+# cs-decrypt-metadata.py
+# Decrypt Cobalt Strike beacon metadata from network captures
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
+
+% cobalt-strike, decryption, metadata
+
+# Basic usage
+cs-decrypt-metadata.py <metadata_hex>
@@ -0,0 +1,8 @@
+# cs-extract-key.py
+# Extract AES and HMAC encryption keys from Cobalt Strike beacon process memory dumps
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
+
+% cobalt-strike, encryption, key-extraction
+
+# Basic usage
+cs-extract-key.py -f <process_dump>
@@ -0,0 +1,8 @@
+# cs-parse-traffic.py
+# Decrypt and parse Cobalt Strike beacon network traffic using extracted keys
+# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring
+
+% cobalt-strike, traffic, decryption
+
+# Basic usage
+cs-parse-traffic.py -f <capture.pcap> -k <keys_file>
@@ -0,0 +1,12 @@
+# curl
+# Transfer data to/from servers using various protocols
+# Sections: 1
+# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting
+
+% download, http, transfer
+
+# Basic usage
+curl -L http://example.com
+
+# Output to file
+curl -o output.bin http://example.com/file
@@ -0,0 +1,9 @@
+# cut-bytes.py
+# Cut out a part of a data stream.
+# Category: Examine Static Properties > Deobfuscation
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
+
+% cut-bytes.py
+
+# Show help for cut-bytes.py
+cut-bytes.py --help
@@ -0,0 +1,9 @@
+# Cutter
+# Open-source reverse engineering platform — Qt-based GUI for radare2
+# Sections: 2
+# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/general
+
+% disassembly, radare2, open-source
+
+# Basic usage
+cutter specimen.exe
@@ -0,0 +1,18 @@
+# CyberChef
+# Web-based data transformation tool — decode Base64, XOR, hex, decompress, and chain operations
+# FOR610 Labs: 1.5, 3.8, 3.12 | Sections: 1, 3
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
+
+% decoding, encoding, transformation, web-based
+
+# Basic usage
+cyberchef
+
+
+# --- Recipes (multi-tool chains) ---
+
+# >> Visual XOR/Base64 Decode with CyberChef
+# Launch CyberChef
+cyberchef
+# Common recipe: From Hex → XOR (key) → extract strings
+# Common recipe: From Base64 → Decode text UTF-16LE
@@ -0,0 +1,11 @@
+# dc3-mwcp
+# DC3 Malware Configuration Parser — extract C2 configs from known malware families
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
+
+% malware, config-extraction, c2
+
+# Basic usage
+mwcp parse <sample>
+
+# Save output to file
+mwcp parse -p Emotet <sample>
@@ -0,0 +1,21 @@
+# de4dot
+# .NET deobfuscator — remove obfuscation from .NET assemblies
+# FOR610 Labs: 4.8 | Sections: 4
+# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net
+
+% dotnet, deobfuscation
+
+# Basic usage
+de4dot obfuscated.exe
+
+
+# --- Recipes (multi-tool chains) ---
+
+# >> Decompile .NET on Command Line
+# Decompile to C# source
+ilspycmd <assembly.exe> > source.cs
+# Search for suspicious patterns
+grep -n 'Assembly.Load\|WebClient\|Process.Start' source.cs
+# If obfuscated, deobfuscate first
+de4dot <assembly.exe>
+ilspycmd <assembly-cleaned.exe> > source_clean.cs
@@ -0,0 +1,9 @@
+# decode-vbe.py
+# Decode encoded VBS scripts (VBE).
+# Category: Statically Analyze Code > Scripts
+# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts
+
+% decode-vbe.py
+
+# Show help for decode-vbe.py
+decode-vbe.py --help
@@ -0,0 +1,9 @@
+# Decompyle++
+# Python bytecode disassembler and decompiler.
+# Category: Statically Analyze Code > Python
+# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/python
+
+% decompyle
+
+# Show help for Decompyle++
+Decompyle++ --help
@@ -0,0 +1,7 @@
+# default-jdk
+# Installed via: apt (default-jdk)
+
+% default-jdk
+
+# Show help for default-jdk
+default-jdk --help
@@ -0,0 +1,7 @@
+# default-jre
+# Installed via: apt (default-jre)
+
+% default-jre
+
+# Show help for default-jre
+default-jre --help
@@ -0,0 +1,9 @@
+# dex2jar
+# Examine Dalvik Executable (dex) files.
+# Category: Statically Analyze Code > Android
+# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android
+
+% dex2jar
+
+# Show help for dex2jar
+dex2jar --help
@@ -0,0 +1,9 @@
+# dexray
+# Extract and decode data from antivirus quarantine files.
+# Category: Gather and Analyze Data
+# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data
+
+% dexray
+
+# Show help for dexray
+dexray --help
@@ -0,0 +1,7 @@
+# dialog
+# Installed via: apt (dialog)
+
+% dialog
+
+# Show help for dialog
+dialog --help
@@ -0,0 +1,7 @@
+# didier-stevens-scripts
+# Installed via: pip (remnux-python3-packages-dissect-fusepy-prereq)
+
+% didier-stevens-scripts
+
+# Show help for didier-stevens-scripts
+didier-stevens-scripts --help
@@ -0,0 +1,9 @@
+# diec
+# Detect packers, compilers, and tools used to create executables
+# FOR610 Labs: 4.1 | Sections: 1, 4
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general
+
+% pe, packer-detection, compiler-detection
+
+# Basic usage
+diec specimen.exe
@@ -0,0 +1,9 @@
+# disitool
+# Manipulate embedded digital signatures.
+# Category: Examine Static Properties > General
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general
+
+% disitool
+
+# Show help for disitool
+disitool --help
@@ -0,0 +1,7 @@
+# display
+# Installed via: unknown (set-scaling)
+
+% display
+
+# Show help for display
+display --help
@@ -0,0 +1,9 @@
+# dissect
+# Perform a variety of forensics and incident response tasks using this DFIR framework and toolset.
+# Category: Gather and Analyze Data
+# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data
+
+% dissect
+
+# Show help for dissect
+dissect --help
@@ -0,0 +1,7 @@
+# distro-info
+# Installed via: pip (distro-info)
+
+% distro-info
+
+# Show help for distro-info
+distro-info --help
@@ -0,0 +1,7 @@
+# dllcharacteristics
+# Installed via: script (dllcharacteristics.py)
+
+% dllcharacteristics
+
+# Show help for dllcharacteristics
+dllcharacteristics --help
@@ -0,0 +1,9 @@
+# dnfile
+# Analyze static properties of.
+# Category: Examine Static Properties > .NET
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/.net
+
+% dnfile
+
+# Show help for dnfile
+dnfile --help
@@ -0,0 +1,9 @@
+# dnslib
+# Python library to encode/decode DNS wire-format packets.
+# Category: Gather and Analyze Data
+# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data
+
+% dnslib
+
+# Show help for dnslib
+dnslib --help
@@ -0,0 +1,9 @@
+# dnsresolver.py
+# DNS resolver tool for dynamic analysis with wildcard and tracking support.
+# Category: Explore Network Interactions > Services
+# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services
+
+% dnsresolver.py
+
+# Show help for dnsresolver.py
+dnsresolver.py --help
@@ -0,0 +1,9 @@
+# docker
+# Run and manage containers.
+# Category: General Utilities
+# Docs: https://docs.remnux.org/discover-the-tools/general+utilities
+
+% docker
+
+# Show help for docker
+docker --help
@@ -0,0 +1,7 @@
+# dog
+# Installed via: unknown (dog)
+
+% dog
+
+# Show help for dog
+dog --help
@@ -0,0 +1,9 @@
+# dos2unix
+# Convert text files with Windows or macOS line breaks to Unix line breaks and vice versa.
+# Category: View or Edit Files
+# Docs: https://docs.remnux.org/discover-the-tools/view+or+edit+files
+
+% dos2unix
+
+# Show help for dos2unix
+dos2unix --help
@@ -0,0 +1,7 @@
+# dot-cache
+# Installed via: unknown (dot-cache)
+
+% dot-cache
+
+# Show help for dot-cache
+dot-cache --help
@@ -0,0 +1,7 @@
+# dot-config
+# Installed via: unknown (dot-config)
+
+% dot-config
+
+# Show help for dot-config
+dot-config --help
@@ -0,0 +1,7 @@
+# dot-cpan
+# Installed via: unknown (dot-cpan)
+
+% dot-cpan
+
+# Show help for dot-cpan
+dot-cpan --help
@@ -0,0 +1,7 @@
+# dot-dbus
+# Installed via: unknown (dot-dbus)
+
+% dot-dbus
+
+# Show help for dot-dbus
+dot-dbus --help
@@ -0,0 +1,7 @@
+# dot-local
+# Installed via: unknown (dot-local)
+
+% dot-local
+
+# Show help for dot-local
+dot-local --help
@@ -0,0 +1,7 @@
+# dotnet-runtime-3-1
+# Installed via: apt (dotnet3)
+
+% dotnet-runtime-3-1
+
+# Show help for dotnet-runtime-3-1
+dotnet-runtime-3-1 --help
@@ -0,0 +1,9 @@
+# dotnetfile
+# Analyze static properties of.
+# Category: Examine Static Properties > .NET
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/.net
+
+% dotnetfile
+
+# Show help for dotnetfile
+dotnetfile --help
@@ -0,0 +1,9 @@
+# droidlysis
+# Perform static analysis of Android applications.
+# Category: Examine Static Properties > General
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general
+
+% droidlysis
+
+# Show help for droidlysis
+droidlysis --help
@@ -0,0 +1,7 @@
+# edb-debugger
+# Installed via: apt (edb-debugger)
+
+% edb-debugger
+
+# Show help for edb-debugger
+edb-debugger --help
@@ -0,0 +1,22 @@
+# emldump.py
+# Parse and analyze EML email message files
+# Sections: 3 | Author: Didier Stevens
+# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages
+
+% email, eml, didier-stevens
+
+# Basic usage
+emldump.py message.eml
+
+
+# --- Recipes (multi-tool chains) ---
+
+# >> Extract and Triage Email Attachments
+# List email structure
+emldump.py <email.eml>
+# Extract all attachments
+emldump.py <email.eml> -d
+# Identify file types
+file attachment_*
+# Compute hashes for lookup
+sha256sum attachment_*
@@ -0,0 +1,7 @@
+# enchant
+# Installed via: apt (remnux-packages-enchant)
+
+% enchant
+
+# Show help for enchant
+enchant --help
@@ -0,0 +1,9 @@
+# EPIC IRC Client
+# Examine IRC activities with this IRC client.
+# Category: Explore Network Interactions > Connecting
+# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting
+
+% epic-irc-client
+
+# Show help for EPIC IRC Client
+EPIC IRC Client --help
@@ -0,0 +1,7 @@
+# epic5
+# Installed via: apt (epic5)
+
+% epic5
+
+# Show help for epic5
+epic5 --help
@@ -0,0 +1,9 @@
+# evilclippy
+# Remove VBA project password protection and manipulate Office macro settings
+# Sections: 3
+# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office
+
+% office, vba, password-removal
+
+# Basic usage
+evilclippy -uu document.docm
@@ -0,0 +1,9 @@
+# evince
+# View documents in a variety of formats, including PDF.
+# Category: View or Edit Files
+# Docs: https://docs.remnux.org/discover-the-tools/view+or+edit+files
+
+% evince
+
+# Show help for evince
+evince --help
@@ -0,0 +1,9 @@
+# ex-pe-xor
+# Search an XOR&#x27;ed file for indications of executable binaries.
+# Category: Examine Static Properties > Deobfuscation
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
+
+% ex-pe-xor
+
+# Show help for ex-pe-xor
+ex-pe-xor --help
@@ -0,0 +1,7 @@
+# exfat-utils
+# Installed via: apt (remnux-packages-exfat-utils)
+
+% exfat-utils
+
+# Show help for exfat-utils
+exfat-utils --help
@@ -0,0 +1,12 @@
+# exiftool
+# Extract metadata from files (PDF, images, documents, executables)
+# Sections: 1
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general
+
+% metadata, triage
+
+# Basic usage
+exiftool document.pdf
+
+# Alternative usage
+exiftool specimen.exe
@@ -0,0 +1,23 @@
+# fakedns
+# Fake DNS server that resolves all queries to a specified IP for traffic interception
+# FOR610 Labs: 1.3, 1.6, 1.7, 1.8 | Sections: 1
+# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services
+
+% dns, spoofing, interception, lab-setup
+
+# Basic usage
+fakedns
+
+
+# --- Recipes (multi-tool chains) ---
+
+# >> Set Up DNS + HTTP Interception
+# Option A: Simple DNS + HTTP
+fakedns &
+httpd &
+# Option B: Full service emulation (HTTP, HTTPS, DNS, FTP, SMTP)
+inetsim
+# Verify DNS is working
+nslookup anything.com
+# Redirect hardcoded IPs too
+iptables -t nat -A PREROUTING -i eth0 -j REDIRECT
@@ -0,0 +1,9 @@
+# fakemail
+# Intercept and examine SMTP email activity with this fake SMTP server.
+# Category: Explore Network Interactions > Services
+# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services
+
+% fakemail
+
+# Show help for fakemail
+fakemail --help
@@ -0,0 +1,11 @@
+# fakenet-ng
+# Emulate network services (HTTP, DNS, SMTP, FTP) to intercept and analyze malware traffic dynamically
+# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services
+
+% network, emulation, dynamic-analysis, c2
+
+# Basic usage
+fakenet
+
+# Alternative usage
+fakenet -c custom_config.ini
@@ -0,0 +1,24 @@
+# feh
+# Lightweight image viewer for viewing extracted images from documents
+# FOR610 Labs: 3.1 | Sections: 3
+# Docs: https://docs.remnux.org/discover-the-tools/view+or+edit+files
+
+% image-viewer
+
+# Basic usage
+feh extracted_image.jpg
+
+
+# --- Recipes (multi-tool chains) ---
+
+# >> Extract Embedded Object from PDF
+# Scan for suspicious keywords
+pdfid.py <document.pdf>
+# Find objects containing the keyword
+pdf-parser.py <document.pdf> -s /URI
+# Extract all values for that keyword
+pdf-parser.py <document.pdf> -k /URI
+# Dump a specific object to file
+pdf-parser.py <document.pdf> -o <obj_id> -d extracted_object
+# View extracted image
+feh extracted_object &
@@ -0,0 +1,9 @@
+# file-magic.py
+# Identify file types using the Python magic module.
+# Category: Examine Static Properties > General
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general
+
+% file-magic.py
+
+# Show help for file-magic.py
+file-magic.py --help
@@ -0,0 +1,25 @@
+# file
+# Determine file type and MIME type using magic bytes
+# FOR610 Labs: 3.4, 3.5 | Sections: 3
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general
+
+% file-identification, triage
+
+# Basic usage
+file specimen.exe
+
+# Alternative usage
+file document.doc
+
+
+# --- Recipes (multi-tool chains) ---
+
+# >> Extract and Triage Email Attachments
+# List email structure
+emldump.py <email.eml>
+# Extract all attachments
+emldump.py <email.eml> -d
+# Identify file types
+file attachment_*
+# Compute hashes for lookup
+sha256sum attachment_*
--- a/Show More
+++ b/Show More