Add FOR610 tool/workflow knowledge base and data pipeline

Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00
parent 06ebb09ab0
commit f3ccc09c3d
663 changed files with 36339 additions and 1 deletions
@@ -0,0 +1,7 @@
+# 1768.py
+
+> Parse Cobalt Strike beacon configuration from shellcode or memory dumps
+
+- Run 1768.py:
+
+`1768.py shellcode.bin`
@@ -0,0 +1,7 @@
+# 7-Zip
+
+> Compress and decompress files using a variety of algorithms.
+
+- Run 7-Zip:
+
+`7-Zip --help`
@@ -0,0 +1,7 @@
+# AESKeyFinder
+
+> Find 128-bit and 256-bit AES keys in a memory image.
+
+- Run AESKeyFinder:
+
+`AESKeyFinder --help`
@@ -0,0 +1,15 @@
+# androguard
+
+> Analyze Android APK files — extract permissions, activities, intents, and decompile DEX code
+
+- Run androguard:
+
+`androguard analyze <app.apk>`
+
+- Run androguard:
+
+`androguard decompile -o output/ <app.apk>`
+
+- Run androguard:
+
+`androgui.py <app.apk>`
@@ -0,0 +1,7 @@
+# AndroidProjectCreator
+
+> Convert an Android APK application file into an Android Studio project for easier analysis.
+
+- Run AndroidProjectCreator:
+
+`AndroidProjectCreator --help`
@@ -0,0 +1,7 @@
+# anomy
+
+> A wrapper around wget, ssh, sftp, ftp, and telnet to route these connections through Tor to anonymize your traffic.
+
+- Run anomy:
+
+`anomy --help`
@@ -0,0 +1,7 @@
+# apkid
+
+> Identify compilers, packers, and obfuscators used to protect Android APK and DEX files.
+
+- Run apkid:
+
+`apkid --help`
@@ -0,0 +1,11 @@
+# apktool
+
+> Decompile and recompile Android APK files — extract resources, smali code, and manifest
+
+- Run apktool:
+
+`apktool d <app.apk> -o output/`
+
+- Run apktool:
+
+`apktool b output/ -o rebuilt.apk`
@@ -0,0 +1,7 @@
+# autoit-ripper
+
+> Extract AutoIt scripts embedded in PE binaries.
+
+- Run autoit-ripper:
+
+`autoit-ripper --help`
@@ -0,0 +1,7 @@
+# baksmali
+
+> Disassembler for the dex format used by Dalvik, Android&#x27;s Java VM implementation.
+
+- Run baksmali:
+
+`baksmali --help`
@@ -0,0 +1,7 @@
+# balbuzard
+
+> Extract and deobfuscate patterns from suspicious files.
+
+- Run balbuzard:
+
+`balbuzard --help`
@@ -0,0 +1,15 @@
+# base64dump.py
+
+> Extract and decode Base64-encoded strings from files
+
+- Run base64dump.py:
+
+`base64dump.py file.txt`
+
+- Run base64dump.py:
+
+`base64dump.py file.ps1 -n 10`
+
+- Run base64dump.py:
+
+`base64dump.py file.ps1 -s 2 -d`
@@ -0,0 +1,7 @@
+# bbcrack
+
+> Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms
+
+- Run bbcrack:
+
+`bbcrack -l 1 specimen.dll`
@@ -0,0 +1,7 @@
+# binee (Binary Emulation Environment)
+
+> Analyze I/O operations of a suspicious PE file by emulating its execution.
+
+- Run binee (Binary Emulation Environment):
+
+`binee (Binary Emulation Environment) --help`
@@ -0,0 +1,11 @@
+# binwalk
+
+> Analyze and extract embedded files and firmware images
+
+- Run binwalk:
+
+`binwalk firmware.bin`
+
+- Run binwalk:
+
+`binwalk -e firmware.bin`
@@ -0,0 +1,7 @@
+# box-js
+
+> JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript APIs
+
+- Run box-js:
+
+`box-js --output-dir=/tmp suspicious.js`
@@ -0,0 +1,7 @@
+# brxor.py
+
+> Brute-force XOR key detection for single-byte XOR-encoded strings
+
+- Run brxor.py:
+
+`brxor.py specimen.dll`
@@ -0,0 +1,7 @@
+# bulk-extractor
+
+> Extract interesting strings from binary files.
+
+- Run bulk-extractor:
+
+`bulk-extractor --help`
@@ -0,0 +1,7 @@
+# Burp Suite Community Edition
+
+> Investigate website interactions using this web proxy.
+
+- Run Burp Suite Community Edition:
+
+`Burp Suite Community Edition --help`
@@ -0,0 +1,7 @@
+# Bytehist
+
+> Generate byte-usage histograms to visually identify packed or encrypted sections in binaries
+
+- Run Bytehist:
+
+`bytehist specimen.exe`
@@ -0,0 +1,7 @@
+# cabextract
+
+> Extract Microsoft cabinet (cab) files.
+
+- Run cabextract:
+
+`cabextract --help`
@@ -0,0 +1,15 @@
+# capa
+
+> Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog
+
+- Run capa:
+
+`capa specimen.exe`
+
+- Run capa:
+
+`capa -vv specimen.exe`
+
+- Run capa:
+
+`capa -vv specimen.exe | grep -A7 'Suspended Process'`
@@ -0,0 +1,7 @@
+# cast
+
+> Install and manage SaltStack-based Linux distributions.
+
+- Run cast:
+
+`cast --help`
@@ -0,0 +1,11 @@
+# cfr
+
+> Modern Java decompiler — handles Java 8+ features including lambdas and try-with-resources
+
+- Run cfr:
+
+`cfr <file.jar> --outputdir output/`
+
+- Run cfr:
+
+`cfr <file.class>`
@@ -0,0 +1,7 @@
+# chepy
+
+> Decode and otherwise analyze data using this command-line tool and Python library.
+
+- Run chepy:
+
+`chepy --help`
@@ -0,0 +1,15 @@
+# ClamAV
+
+> Open-source antivirus — scan files for known malware signatures
+
+- Run ClamAV:
+
+`clamscan <sample>`
+
+- Run ClamAV:
+
+`clamscan -r <directory>/`
+
+- Run ClamAV:
+
+`freshclam`
@@ -0,0 +1,7 @@
+# Cobalt Strike Configuration Extractor (CSCE) and Parser
+
+> Analyze Cobalt Strike beacons.
+
+- Run Cobalt Strike Configuration Extractor (CSCE) and Parser:
+
+`Cobalt Strike Configuration Extractor (CSCE) and Parser --help`
@@ -0,0 +1,7 @@
+# cs-analyze-processdump.py
+
+> Analyze Cobalt Strike beacon process dumps for sleep mask encoding
+
+- Run cs-analyze-processdump.py:
+
+`cs-analyze-processdump.py <process_dump>`
@@ -0,0 +1,7 @@
+# cs-decrypt-metadata.py
+
+> Decrypt Cobalt Strike beacon metadata from network captures
+
+- Run cs-decrypt-metadata.py:
+
+`cs-decrypt-metadata.py <metadata_hex>`
@@ -0,0 +1,7 @@
+# cs-extract-key.py
+
+> Extract AES and HMAC encryption keys from Cobalt Strike beacon process memory dumps
+
+- Run cs-extract-key.py:
+
+`cs-extract-key.py -f <process_dump>`
@@ -0,0 +1,7 @@
+# cs-parse-traffic.py
+
+> Decrypt and parse Cobalt Strike beacon network traffic using extracted keys
+
+- Run cs-parse-traffic.py:
+
+`cs-parse-traffic.py -f <capture.pcap> -k <keys_file>`
@@ -0,0 +1,11 @@
+# curl
+
+> Transfer data to/from servers using various protocols
+
+- Run curl:
+
+`curl -L http://example.com`
+
+- Run curl:
+
+`curl -o output.bin http://example.com/file`
@@ -0,0 +1,7 @@
+# cut-bytes.py
+
+> Cut out a part of a data stream.
+
+- Run cut-bytes.py:
+
+`cut-bytes.py --help`
@@ -0,0 +1,7 @@
+# Cutter
+
+> Open-source reverse engineering platform — Qt-based GUI for radare2
+
+- Run Cutter:
+
+`cutter specimen.exe`
@@ -0,0 +1,7 @@
+# CyberChef
+
+> Web-based data transformation tool — decode Base64, XOR, hex, decompress, and chain operations
+
+- Run CyberChef:
+
+`cyberchef`
@@ -0,0 +1,11 @@
+# dc3-mwcp
+
+> DC3 Malware Configuration Parser — extract C2 configs from known malware families
+
+- Run dc3-mwcp:
+
+`mwcp parse <sample>`
+
+- Run dc3-mwcp:
+
+`mwcp parse -p Emotet <sample>`
@@ -0,0 +1,7 @@
+# de4dot
+
+> .NET deobfuscator — remove obfuscation from .NET assemblies
+
+- Run de4dot:
+
+`de4dot obfuscated.exe`
@@ -0,0 +1,7 @@
+# decode-vbe.py
+
+> Decode encoded VBS scripts (VBE).
+
+- Run decode-vbe.py:
+
+`decode-vbe.py --help`
@@ -0,0 +1,7 @@
+# Decompyle++
+
+> Python bytecode disassembler and decompiler.
+
+- Run Decompyle++:
+
+`Decompyle++ --help`
@@ -0,0 +1,7 @@
+# dex2jar
+
+> Examine Dalvik Executable (dex) files.
+
+- Run dex2jar:
+
+`dex2jar --help`
@@ -0,0 +1,7 @@
+# dexray
+
+> Extract and decode data from antivirus quarantine files.
+
+- Run dexray:
+
+`dexray --help`
@@ -0,0 +1,7 @@
+# diec
+
+> Detect packers, compilers, and tools used to create executables
+
+- Run diec:
+
+`diec specimen.exe`
@@ -0,0 +1,7 @@
+# disitool
+
+> Manipulate embedded digital signatures.
+
+- Run disitool:
+
+`disitool --help`
@@ -0,0 +1,7 @@
+# dissect
+
+> Perform a variety of forensics and incident response tasks using this DFIR framework and toolset.
+
+- Run dissect:
+
+`dissect --help`
@@ -0,0 +1,7 @@
+# dnfile
+
+> Analyze static properties of.
+
+- Run dnfile:
+
+`dnfile --help`
@@ -0,0 +1,7 @@
+# dnslib
+
+> Python library to encode/decode DNS wire-format packets.
+
+- Run dnslib:
+
+`dnslib --help`
@@ -0,0 +1,7 @@
+# dnsresolver.py
+
+> DNS resolver tool for dynamic analysis with wildcard and tracking support.
+
+- Run dnsresolver.py:
+
+`dnsresolver.py --help`
@@ -0,0 +1,7 @@
+# docker
+
+> Run and manage containers.
+
+- Run docker:
+
+`docker --help`
@@ -0,0 +1,7 @@
+# dos2unix
+
+> Convert text files with Windows or macOS line breaks to Unix line breaks and vice versa.
+
+- Run dos2unix:
+
+`dos2unix --help`
@@ -0,0 +1,7 @@
+# dotnetfile
+
+> Analyze static properties of.
+
+- Run dotnetfile:
+
+`dotnetfile --help`
@@ -0,0 +1,7 @@
+# droidlysis
+
+> Perform static analysis of Android applications.
+
+- Run droidlysis:
+
+`droidlysis --help`
@@ -0,0 +1,7 @@
+# emldump.py
+
+> Parse and analyze EML email message files
+
+- Run emldump.py:
+
+`emldump.py message.eml`
@@ -0,0 +1,7 @@
+# EPIC IRC Client
+
+> Examine IRC activities with this IRC client.
+
+- Run EPIC IRC Client:
+
+`EPIC IRC Client --help`
@@ -0,0 +1,7 @@
+# evilclippy
+
+> Remove VBA project password protection and manipulate Office macro settings
+
+- Run evilclippy:
+
+`evilclippy -uu document.docm`
@@ -0,0 +1,7 @@
+# evince
+
+> View documents in a variety of formats, including PDF.
+
+- Run evince:
+
+`evince --help`
@@ -0,0 +1,7 @@
+# ex-pe-xor
+
+> Search an XOR&#x27;ed file for indications of executable binaries.
+
+- Run ex-pe-xor:
+
+`ex-pe-xor --help`
@@ -0,0 +1,11 @@
+# exiftool
+
+> Extract metadata from files (PDF, images, documents, executables)
+
+- Run exiftool:
+
+`exiftool document.pdf`
+
+- Run exiftool:
+
+`exiftool specimen.exe`
@@ -0,0 +1,7 @@
+# fakedns
+
+> Fake DNS server that resolves all queries to a specified IP for traffic interception
+
+- Run fakedns:
+
+`fakedns`
@@ -0,0 +1,7 @@
+# fakemail
+
+> Intercept and examine SMTP email activity with this fake SMTP server.
+
+- Run fakemail:
+
+`fakemail --help`
@@ -0,0 +1,11 @@
+# fakenet-ng
+
+> Emulate network services (HTTP, DNS, SMTP, FTP) to intercept and analyze malware traffic dynamically
+
+- Run fakenet-ng:
+
+`fakenet`
+
+- Run fakenet-ng:
+
+`fakenet -c custom_config.ini`
@@ -0,0 +1,7 @@
+# feh
+
+> Lightweight image viewer for viewing extracted images from documents
+
+- Run feh:
+
+`feh extracted_image.jpg`
@@ -0,0 +1,7 @@
+# file-magic.py
+
+> Identify file types using the Python magic module.
+
+- Run file-magic.py:
+
+`file-magic.py --help`
@@ -0,0 +1,11 @@
+# file
+
+> Determine file type and MIME type using magic bytes
+
+- Run file:
+
+`file specimen.exe`
+
+- Run file:
+
+`file document.doc`
@@ -0,0 +1,7 @@
+# firefox
+
+> Web browser.
+
+- Run firefox:
+
+`firefox --help`
@@ -0,0 +1,15 @@
+# FLOSS
+
+> Automatically extract obfuscated strings from malware using static analysis, stack strings, and emulation
+
+- Run FLOSS:
+
+`floss specimen.exe`
+
+- Run FLOSS:
+
+`floss specimen.exe > strings-output.txt`
+
+- Run FLOSS:
+
+`floss --no-static -- specimen.exe`
@@ -0,0 +1,7 @@
+# format-bytes.py
+
+> Decompose structured binary data with format strings.
+
+- Run format-bytes.py:
+
+`format-bytes.py --help`
@@ -0,0 +1,15 @@
+# Frida
+
+> Dynamic instrumentation toolkit — hook and trace running processes, intercept function calls in real time
+
+- Run Frida:
+
+`frida -l hook.js <process_name>`
+
+- Run Frida:
+
+`frida-trace -i 'recv*' <process_name>`
+
+- Run Frida:
+
+`frida-ps -U`
@@ -0,0 +1,7 @@
+# Ghidra
+
+> Open-source disassembler and decompiler from NSA with scripting, function graphs, and data type management
+
+- Run Ghidra:
+
+`ghidra`
@@ -0,0 +1,7 @@
+# GhidrAssistMCP
+
+> MCP server for AI-assisted reverse engineering in Ghidra.
+
+- Run GhidrAssistMCP:
+
+`GhidrAssistMCP --help`
@@ -0,0 +1,7 @@
+# GNOME Calculator
+
+> Calculator.
+
+- Run GNOME Calculator:
+
+`GNOME Calculator --help`
@@ -0,0 +1,7 @@
+# GNU Wget
+
+> Interact with servers via HTTP, HTTPS, FTP, and FTPS using this command-line tool.
+
+- Run GNU Wget:
+
+`GNU Wget --help`
@@ -0,0 +1,7 @@
+# goresym
+
+> Extract metadata and symbols from Go binaries, including stripped ones.
+
+- Run goresym:
+
+`goresym --help`
@@ -0,0 +1,7 @@
+# gunzip
+
+> Decompress gzip-compressed data (often used in multi-stage payload extraction)
+
+- Run gunzip:
+
+`gunzip -c compressed.gz > output.bin`
@@ -0,0 +1,7 @@
+# Hachoir
+
+> View, edit, and carve contents of various binary file types.
+
+- Run Hachoir:
+
+`Hachoir --help`
@@ -0,0 +1,7 @@
+# Hash ID
+
+> Identify different types of hashes.
+
+- Run Hash ID:
+
+`Hash ID --help`
@@ -0,0 +1,7 @@
+# hex-to-bin.py
+
+> Convert hexadecimal text dumps to binary data.
+
+- Run hex-to-bin.py:
+
+`hex-to-bin.py --help`
@@ -0,0 +1,7 @@
+# hexdump
+
+> Display file content in hexadecimal format
+
+- Run hexdump:
+
+`hexdump -C binary.dat`
@@ -0,0 +1,7 @@
+# httpd
+
+> Simple HTTP server on REMnux for simulating C2 web servers
+
+- Run httpd:
+
+`httpd`
@@ -0,0 +1,7 @@
+# ibus
+
+> Adjust input methods for the GUI.
+
+- Run ibus:
+
+`ibus --help`
@@ -0,0 +1,7 @@
+# ILSpy
+
+> .NET assembly decompiler — view C#/VB.NET source from compiled .NET binaries
+
+- Run ILSpy:
+
+`ILSpy.exe assembly.exe`
@@ -0,0 +1,7 @@
+# ilspycmd
+
+> Command-line .NET decompiler (CLI version of ILSpy)
+
+- Run ilspycmd:
+
+`ilspycmd assembly.exe > decompiled.cs`
@@ -0,0 +1,7 @@
+# imagemagick
+
+> View and manipulate image and related files.
+
+- Run imagemagick:
+
+`imagemagick --help`
@@ -0,0 +1,7 @@
+# INetSim
+
+> Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for malware analysis in isolated labs
+
+- Run INetSim:
+
+`inetsim`
@@ -0,0 +1,7 @@
+# inspircd
+
+> Examine IRC activity with this IRC server.
+
+- Run inspircd:
+
+`inspircd --help`
@@ -0,0 +1,7 @@
+# ioc-parser
+
+> Extract indicators of compromise (IOCs) from PDF reports and text files
+
+- Run ioc-parser:
+
+`ioc_parser <report.pdf>`
@@ -0,0 +1,7 @@
+# iptables
+
+> Linux firewall and NAT tool for redirecting IP-based malware traffic
+
+- Run iptables:
+
+`iptables -t nat -A PREROUTING -i ens32 -j REDIRECT`
@@ -0,0 +1,7 @@
+# ipwhois
+
+> Retrieve and parse whois data for IP addresses.
+
+- Run ipwhois:
+
+`ipwhois --help`
@@ -0,0 +1,11 @@
+# jadx
+
+> Decompile Android DEX/APK to Java source code with a GUI or command line
+
+- Run jadx:
+
+`jadx <app.apk> -d output/`
+
+- Run jadx:
+
+`jadx-gui <app.apk>`
@@ -0,0 +1,7 @@
+# java-idx-parser
+
+> Analyze Java IDX files.
+
+- Run java-idx-parser:
+
+`java-idx-parser --help`
@@ -0,0 +1,7 @@
+# Javassist
+
+> Java bytecode engineering toolkit/library.
+
+- Run Javassist:
+
+`Javassist --help`
@@ -0,0 +1,7 @@
+# JD-GUI Java Decompiler
+
+> Java decompiler with GUI.
+
+- Run JD-GUI Java Decompiler:
+
+`JD-GUI Java Decompiler --help`
@@ -0,0 +1,7 @@
+# jd-gui
+
+> Visual Java decompiler with GUI — browse and search decompiled JAR/class files
+
+- Run jd-gui:
+
+`jd-gui <file.jar>`
@@ -0,0 +1,11 @@
+# jq
+
+> Command-line JSON processor for extracting and transforming structured data
+
+- Run jq:
+
+`cat report.json | jq '.apis'`
+
+- Run jq:
+
+`jq -r '.entry' report.json`
@@ -0,0 +1,7 @@
+# js-beautify
+
+> Format and beautify obfuscated JavaScript code for readability
+
+- Run js-beautify:
+
+`js-beautify malicious.js > beautified.js`
@@ -0,0 +1,7 @@
+# jstillery
+
+> Deobfuscate JavaScript scripts using AST and Partial Evaluation techniques.
+
+- Run jstillery:
+
+`jstillery --help`
@@ -0,0 +1,7 @@
+# libemu
+
+> A library for x86 code emulation and shellcode detection.
+
+- Run libemu:
+
+`libemu --help`
@@ -0,0 +1,7 @@
+# libolecf
+
+> Microsoft Office OLE2 compound documents.
+
+- Run libolecf:
+
+`libolecf --help`
@@ -0,0 +1,7 @@
+# lief
+
+> Parse and analyze PE, ELF, MachO, DEX, OAT, VDEX, ART, and DWARF executable formats.
+
+- Run lief:
+
+`lief --help`
@@ -0,0 +1,7 @@
+# magika
+
+> Identify file type using signatures.
+
+- Run magika:
+
+`magika --help`
@@ -0,0 +1,7 @@
+# mail-parser
+
+> Parse raw SMTP email messages and extract headers, body, and attachments
+
+- Run mail-parser:
+
+`python3 -c "import mailparser; mail = mailparser.parse_from_file('<email.eml>'); print(mail.subject)"`
--- a/Show More
+++ b/Show More