irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add FOR610 tool/workflow knowledge base and data pipeline

Browse Source 
Build comprehensive malware analysis knowledge base from 3 sources:
- SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes
- REMnux salt-states: 340 packages parsed from GitHub
- REMnux docs: 280+ tools scraped from docs.remnux.org

Master inventory merges all sources into 447 tools with help tiers
(rich/standard/basic). Pipeline generates: tools.db (397 entries),
397 cheatsheets with multi-tool recipes, 15 workflow guides, 224
TLDR pages, and coverage reports.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tobias
2026-03-28 17:38:15 +01:00
parent 06ebb09ab0
commit f3ccc09c3d
663 changed files with 36339 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/remnux/categories-master.yaml
+171
View File
@@ -0,0 +1,171 @@
# Master Category Taxonomy
# Maps REMnux docs 11-category hierarchy (primary) to FOR610 18 categories
# REMnux categories are the public standard from docs.remnux.org
categories:
# --- EXAMINE STATIC PROPERTIES ---
- id: examine-static-properties-general
name: "Examine Static Properties > General"
remnux_docs_path: "examine+static+properties/general"
for610_categories: [static-analysis-pe, yara-detection]
- id: examine-static-properties-pe
name: "Examine Static Properties > PE Files"
remnux_docs_path: "examine+static+properties/pe-files"
for610_categories: [static-analysis-pe]
- id: examine-static-properties-elf
name: "Examine Static Properties > ELF Files"
remnux_docs_path: "examine+static+properties/elf-files"
for610_categories: []
- id: examine-static-properties-dotnet
name: "Examine Static Properties > .NET"
remnux_docs_path: "examine+static+properties/.net"
for610_categories: [dotnet-analysis]
- id: examine-static-properties-go
name: "Examine Static Properties > Go"
remnux_docs_path: "examine+static+properties/go"
for610_categories: []
- id: examine-static-properties-deobfuscation
name: "Examine Static Properties > Deobfuscation"
remnux_docs_path: "examine+static+properties/deobfuscation"
for610_categories: [string-deobfuscation]
# --- STATICALLY ANALYZE CODE ---
- id: statically-analyze-code-general
name: "Statically Analyze Code > General"
remnux_docs_path: "statically+analyze+code/general"
for610_categories: [code-analysis]
- id: statically-analyze-code-unpacking
name: "Statically Analyze Code > Unpacking"
remnux_docs_path: "statically+analyze+code/unpacking"
for610_categories: [unpacking]
- id: statically-analyze-code-pe
name: "Statically Analyze Code > PE Files"
remnux_docs_path: "statically+analyze+code/pe-files"
for610_categories: [emulation]
- id: statically-analyze-code-python
name: "Statically Analyze Code > Python"
remnux_docs_path: "statically+analyze+code/python"
for610_categories: []
- id: statically-analyze-code-scripts
name: "Statically Analyze Code > Scripts"
remnux_docs_path: "statically+analyze+code/scripts"
for610_categories: [javascript-analysis]
- id: statically-analyze-code-java
name: "Statically Analyze Code > Java"
remnux_docs_path: "statically+analyze+code/java"
for610_categories: []
- id: statically-analyze-code-dotnet
name: "Statically Analyze Code > .NET"
remnux_docs_path: "statically+analyze+code/.net"
for610_categories: [dotnet-analysis]
- id: statically-analyze-code-android
name: "Statically Analyze Code > Android"
remnux_docs_path: "statically+analyze+code/android"
for610_categories: []
# --- DYNAMICALLY REVERSE-ENGINEER CODE ---
- id: dynamically-reverse-engineer-general
name: "Dynamically Reverse-Engineer Code > General"
remnux_docs_path: "dynamically+reverse-engineer+code/general"
for610_categories: [debugging]
- id: dynamically-reverse-engineer-shellcode
name: "Dynamically Reverse-Engineer Code > Shellcode"
remnux_docs_path: "dynamically+reverse-engineer+code/shellcode"
for610_categories: [emulation]
- id: dynamically-reverse-engineer-scripts
name: "Dynamically Reverse-Engineer Code > Scripts"
remnux_docs_path: "dynamically+reverse-engineer+code/scripts"
for610_categories: [javascript-analysis, powershell-analysis]
- id: dynamically-reverse-engineer-elf
name: "Dynamically Reverse-Engineer Code > ELF Files"
remnux_docs_path: "dynamically+reverse-engineer+code/elf-files"
for610_categories: []
# --- MEMORY FORENSICS ---
- id: perform-memory-forensics
name: "Perform Memory Forensics"
remnux_docs_path: "perform+memory+forensics"
for610_categories: []
# --- NETWORK INTERACTIONS ---
- id: explore-network-monitoring
name: "Explore Network Interactions > Monitoring"
remnux_docs_path: "explore+network+interactions/monitoring"
for610_categories: [network-analysis]
- id: explore-network-connecting
name: "Explore Network Interactions > Connecting"
remnux_docs_path: "explore+network+interactions/connecting"
for610_categories: [network-analysis]
- id: explore-network-services
name: "Explore Network Interactions > Services"
remnux_docs_path: "explore+network+interactions/services"
for610_categories: [network-analysis]
# --- SYSTEM INTERACTIONS ---
- id: investigate-system-interactions
name: "Investigate System Interactions"
remnux_docs_path: "investigate+system+interactions"
for610_categories: [behavioral-analysis]
# --- DOCUMENTS ---
- id: analyze-documents-general
name: "Analyze Documents > General"
remnux_docs_path: "analyze+documents/general"
for610_categories: [document-analysis]
- id: analyze-documents-pdf
name: "Analyze Documents > PDF"
remnux_docs_path: "analyze+documents/pdf"
for610_categories: [pdf-analysis]
- id: analyze-documents-office
name: "Analyze Documents > Microsoft Office"
remnux_docs_path: "analyze+documents/microsoft+office"
for610_categories: [document-analysis]
- id: analyze-documents-email
name: "Analyze Documents > Email Messages"
remnux_docs_path: "analyze+documents/email+messages"
for610_categories: [document-analysis]
# --- AI ---
- id: use-artificial-intelligence
name: "Use Artificial Intelligence"
remnux_docs_path: "use+artificial+intelligence"
for610_categories: []
# --- DATA GATHERING ---
- id: gather-and-analyze-data
name: "Gather and Analyze Data"
remnux_docs_path: "gather+and+analyze+data"
for610_categories: [yara-detection]
# --- VIEW/EDIT ---
- id: view-or-edit-files
name: "View or Edit Files"
remnux_docs_path: "view+or+edit+files"
for610_categories: [utilities]
# --- GENERAL UTILITIES ---
- id: general-utilities
name: "General Utilities"
remnux_docs_path: "general+utilities"
for610_categories: [utilities]
data/remnux/coverage-report.yaml
+986
View File
@@ -0,0 +1,986 @@
summary:
total_tools: 447
in_remnux_count: 397
help_tier_counts:
rich: 156
standard: 118
basic: 173
source_coverage:
for610_only: 58
remnux_docs_only: 51
salt_states_only: 173
all_three: 65
for610_and_docs: 92
for610_and_salt: 71
docs_and_salt: 132
no_coverage: 0
needs_help:
- id: 7zip
name: 7zip
tier: basic
- id: aeskeyfind
name: aeskeyfind
tier: basic
- id: android-project-creator
name: android-project-creator
tier: basic
- id: apt-utils
name: apt-utils
tier: basic
- id: archive-zip
name: archive-zip
tier: basic
- id: autoconf
name: autoconf
tier: basic
- id: autologin
name: autologin
tier: basic
- id: automake
name: automake
tier: basic
- id: bash-history
name: bash-history
tier: basic
- id: bash-rc
name: bash-rc
tier: basic
- id: bearparser
name: bearparser
tier: basic
- id: binee
name: binee
tier: basic
- id: binutils
name: binutils
tier: basic
- id: build-essential
name: build-essential
tier: basic
- id: bundler
name: bundler
tier: basic
- id: burpsuite-community
name: burpsuite-community
tier: basic
- id: cffi
name: cffi
tier: basic
- id: clamav-daemon
name: clamav-daemon
tier: basic
- id: compatibility
name: compatibility
tier: basic
- id: default-jdk
name: default-jdk
tier: basic
- id: default-jre
name: default-jre
tier: basic
- id: dialog
name: dialog
tier: basic
- id: didier-stevens-suite
name: didier-stevens-scripts
tier: basic
- id: display
name: display
tier: basic
- id: distro-info
name: distro-info
tier: basic
- id: dllcharacteristics
name: dllcharacteristics
tier: basic
- id: dog
name: dog
tier: basic
- id: dot-cache
name: dot-cache
tier: basic
- id: dot-config
name: dot-config
tier: basic
- id: dot-cpan
name: dot-cpan
tier: basic
- id: dot-dbus
name: dot-dbus
tier: basic
- id: dot-local
name: dot-local
tier: basic
- id: dotnet-runtime-3-1
name: dotnet-runtime-3-1
tier: basic
- id: edb-debugger
name: edb-debugger
tier: basic
- id: enchant
name: enchant
tier: basic
- id: epic5
name: epic5
tier: basic
- id: exfat-utils
name: exfat-utils
tier: basic
- id: flare-floss
name: flare-floss
tier: basic
- id: flex
name: flex
tier: basic
- id: galculator
name: galculator
tier: basic
- id: gdb
name: gdb
tier: basic
- id: gdm3
name: gdm3
tier: basic
- id: gift
name: gift
tier: basic
- id: git
name: git
tier: basic
- id: gnome-session
name: gnome-session
tier: basic
- id: gnome-shell-extensions
name: gnome-shell-extensions
tier: basic
- id: gnome-terminal
name: gnome-terminal
tier: basic
- id: gnome-tweaks
name: gnome-tweaks
tier: basic
- id: gnutls-bin
name: gnutls-bin
tier: basic
- id: graphviz
name: graphviz
tier: basic
- id: grub-kvm
name: grub-kvm
tier: basic
- id: guest-tools
name: guest-tools
tier: basic
- id: i386-architecture
name: i386-architecture
tier: basic
- id: iproute2
name: iproute2
tier: basic
- id: iputils-ping
name: iputils-ping
tier: basic
- id: ipython3
name: ipython3
tier: basic
- id: lame
name: lame
tier: basic
- id: libboost-dev
name: libboost-dev
tier: basic
- id: libboost-python-dev
name: libboost-python-dev
tier: basic
- id: libboost-system-dev
name: libboost-system-dev
tier: basic
- id: libdpkg-perl
name: libdpkg-perl
tier: basic
- id: libemail-outlook-message-perl
name: libemail-outlook-message-perl
tier: basic
- id: libffi-dev
name: libffi-dev
tier: basic
- id: libfuse2
name: libfuse2
tier: basic
- id: libfuzzy-dev
name: libfuzzy-dev
tier: basic
- id: libfuzzy2
name: libfuzzy2
tier: basic
- id: libglib2
name: libglib2
tier: basic
- id: libglu1-mesa-dev
name: libglu1-mesa-dev
tier: basic
- id: libgraphviz-dev
name: libgraphviz-dev
tier: basic
- id: libgtk-3-0
name: libgtk-3-0
tier: basic
- id: libjavassist-java
name: libjavassist-java
tier: basic
- id: libjpeg-dev
name: libjpeg-dev
tier: basic
- id: libjpeg8-dev
name: libjpeg8-dev
tier: basic
- id: liblzma-dev
name: liblzma-dev
tier: basic
- id: liblzo2-dev
name: liblzo2-dev
tier: basic
- id: libmagic-dev
name: libmagic-dev
tier: basic
- id: libmysqlclient21
name: libmysqlclient21
tier: basic
- id: libncurses
name: libncurses
tier: basic
- id: libnetfilter-queue-dev
name: libnetfilter-queue-dev
tier: basic
- id: libnfnetlink-dev
name: libnfnetlink-dev
tier: basic
- id: libpq5
name: libpq5
tier: basic
- id: libqt5scripttools5
name: libqt5scripttools5
tier: basic
- id: libre2
name: libre2
tier: basic
- id: libsm6
name: libsm6
tier: basic
- id: libsqlite3-dev
name: libsqlite3-dev
tier: basic
- id: libssl-dev
name: libssl-dev
tier: basic
- id: libtool
name: libtool
tier: basic
- id: libtre5
name: libtre5
tier: basic
- id: libusb-1
name: libusb-1
tier: basic
- id: libxml2-dev
name: libxml2-dev
tier: basic
- id: libxslt1-dev
name: libxslt1-dev
tier: basic
- id: linux-headers
name: linux-headers
tier: basic
- id: ltrace
name: ltrace
tier: basic
- id: malcat
name: malcat
tier: basic
- id: manalyze
name: manalyze
tier: basic
- id: mercurial
name: mercurial
tier: basic
- id: microsoft
name: microsoft
tier: basic
- id: microsoft-vscode
name: microsoft-vscode
tier: basic
- id: mono
name: mono
tier: basic
- id: mono-devel
name: mono-devel
tier: basic
- id: mono-utils
name: mono-utils
tier: basic
- id: mynic
name: mynic
tier: basic
- id: nano
name: nano
tier: basic
- id: ndg-httpsclient
name: ndg-httpsclient
tier: basic
- id: net-tools
name: net-tools
tier: basic
- id: nodejs
name: nodejs
tier: basic
- id: openjdk
name: openjdk
tier: basic
- id: openssl
name: openssl
tier: basic
- id: osarch
name: osarch
tier: basic
- id: pe-tree
name: pe-tree
tier: basic
- id: pedump
name: pedump
tier: basic
- id: perl
name: perl
tier: basic
- id: readpe
name: pev
tier: basic
- id: pgadmin
name: pgadmin
tier: basic
- id: pip
name: pip
tier: basic
- id: pkg-config
name: pkg-config
tier: basic
- id: portex
name: portex
tier: basic
- id: prefer-ipv4
name: prefer-ipv4
tier: basic
- id: procyon-decompiler
name: procyon-decompiler
tier: basic
- id: protobuf
name: protobuf
tier: basic
- id: pycdc
name: pycdc
tier: basic
- id: pyelftools
name: pyelftools
tier: basic
- id: python-debian
name: python-debian
tier: basic
- id: python3
name: python3
tier: basic
- id: python3-cryptography
name: python3-cryptography
tier: basic
- id: python3-dev
name: python3-dev
tier: basic
- id: python3-dnspython
name: python3-dnspython
tier: basic
- id: python3-magic
name: python3-magic
tier: basic
- id: python3-netifaces
name: python3-netifaces
tier: basic
- id: python3-numpy
name: python3-numpy
tier: basic
- id: python3-pil
name: python3-pil
tier: basic
- id: python3-pip
name: python3-pip
tier: basic
- id: python3-pyasn1
name: python3-pyasn1
tier: basic
- id: python3-pyqt5
name: python3-pyqt5
tier: basic
- id: python3-requests
name: python3-requests
tier: basic
- id: python3-setuptools
name: python3-setuptools
tier: basic
- id: python3-ssdeep
name: python3-ssdeep
tier: basic
- id: python3-tk
name: python3-tk
tier: basic
- id: python3-venv
name: python3-venv
tier: basic
- id: python3-virtualenv
name: python3-virtualenv
tier: basic
- id: python3-wheel
name: python3-wheel
tier: basic
- id: qtbase5-dev
name: qtbase5-dev
tier: basic
- id: refresh
name: refresh
tier: basic
- id: remnux
name: remnux
tier: basic
- id: remove-app-icons
name: remove-app-icons
tier: basic
- id: rhino
name: rhino
tier: basic
- id: rsakeyfind
name: rsakeyfind
tier: basic
- id: ruby
name: ruby
tier: basic
- id: ruby-dev
name: ruby-dev
tier: basic
- id: salt-minion
name: salt-minion
tier: basic
- id: sharutils
name: sharutils
tier: basic
- id: sift
name: sift
tier: basic
- id: sleuthkit
name: sleuthkit
tier: basic
- id: snap
name: snap
tier: basic
- id: snapd
name: snapd
tier: basic
- id: software-properties-common
name: software-properties-common
tier: basic
- id: ssh
name: ssh
tier: basic
- id: strace
name: strace
tier: basic
- id: subversion
name: subversion
tier: basic
- id: sudo
name: sudo
tier: basic
- id: sudoers
name: sudoers
tier: basic
- id: tzdata
name: tzdata
tier: basic
- id: ubuntu
name: ubuntu
tier: basic
- id: ubuntu-universe
name: ubuntu-universe
tier: basic
- id: user
name: user
tier: basic
- id: vim
name: vim
tier: basic
- id: vscode
name: vscode
tier: basic
- id: wireshark-dev
name: wireshark-dev
tier: basic
- id: xdg-utils
name: xdg-utils
tier: basic
- id: xmlstarlet
name: xmlstarlet
tier: basic
- id: xterm
name: xterm
tier: basic
- id: zbar-tools
name: zbar-tools
tier: basic
- id: zlib1g-dev
name: zlib1g-dev
tier: basic
rich_tools:
- id: 1768-py
name: 1768.py
- id: bytehist
name: Bytehist
- id: clamav
name: ClamAV
- id: cutter
name: Cutter
- id: cyberchef
name: CyberChef
- id: floss
name: FLOSS
- id: frida
name: Frida
- id: ghidra
name: Ghidra
- id: ilspy
name: ILSpy
- id: inetsim
name: INetSim
- id: malchive
name: Malchive
- id: procdot
name: ProcDOT
- id: spidermonkey
name: SpiderMonkey
- id: thug
name: Thug
- id: upx
name: UPX
- id: unfurl
name: Unfurl
- id: visual-studio-code
name: Visual Studio Code
- id: vivisect
name: Vivisect
- id: wine
name: Wine
- id: wireshark
name: Wireshark
- id: xlmmacrodeobfuscator
name: XLMMacroDeobfuscator
- id: xorsearch
name: XORSearch
- id: androguard
name: androguard
- id: apktool
name: apktool
- id: base64dump-py
name: base64dump.py
- id: bbcrack
name: bbcrack
- id: binwalk
name: binwalk
- id: box-js
name: box-js
- id: brxor-py
name: brxor.py
- id: capa
name: capa
- id: cfr
name: cfr
- id: cs-analyze-processdump-py
name: cs-analyze-processdump.py
- id: cs-decrypt-metadata-py
name: cs-decrypt-metadata.py
- id: cs-extract-key-py
name: cs-extract-key.py
- id: cs-parse-traffic-py
name: cs-parse-traffic.py
- id: curl
name: curl
- id: dc3-mwcp
name: dc3-mwcp
- id: de4dot
name: de4dot
- id: diec
name: diec
- id: emldump-py
name: emldump.py
- id: evilclippy
name: evilclippy
- id: exiftool
name: exiftool
- id: fakedns
name: fakedns
- id: fakenet-ng
name: fakenet-ng
- id: feh
name: feh
- id: file
name: file
- id: gunzip
name: gunzip
- id: hexdump
name: hexdump
- id: httpd
name: httpd
- id: ilspycmd
name: ilspycmd
- id: ioc-parser
name: ioc-parser
- id: iptables
name: iptables
- id: jadx
name: jadx
- id: jd-gui
name: jd-gui
- id: jq
name: jq
- id: js-beautify
name: js-beautify
- id: mail-parser
name: mail-parser
- id: malwoverview
name: malwoverview
- id: mitmproxy
name: mitmproxy
- id: msg-extractor
name: msg-extractor
- id: msoffcrypto-tool
name: msoffcrypto-tool
- id: netcat
name: nc
- id: networkminer
name: networkminer
- id: ngrep
name: ngrep
- id: nslookup
name: nslookup
- id: numbers-to-string-py
name: numbers-to-string.py
- id: oledump-py
name: oledump.py
- id: olevba
name: olevba
- id: pcode2code
name: pcode2code
- id: pdf-parser-py
name: pdf-parser.py
- id: pdfid-py
name: pdfid.py
- id: pdfresurrect
name: pdfresurrect
- id: pdftk
name: pdftk
- id: pdftool-py
name: pdftool.py
- id: peepdf
name: peepdf
- id: peframe
name: peframe
- id: pestr
name: pestr
- id: polarproxy
name: polarproxy
- id: pyinstxtractor-ng
name: pyinstxtractor-ng
- id: qiling
name: qiling
- id: qpdf
name: qpdf
- id: radare2
name: radare2
- id: rar
name: rar
- id: rtfdump-py
name: rtfdump.py
- id: runsc32
name: runsc32
- id: scdbgc
name: scdbgc
- id: shcode2exe
name: shcode2exe
- id: speakeasy
name: speakeasy
- id: ssdeep
name: ssdeep
- id: strdeob-pl
name: strdeob.pl
- id: strings
name: strings
- id: tcpdump
name: tcpdump
- id: tcpflow
name: tcpflow
- id: tcpxtract
name: tcpxtract
- id: torsocks
name: torsocks
- id: translate-py
name: translate.py
- id: trid
name: trid
- id: tshark
name: tshark
- id: uncompyle6
name: uncompyle6
- id: unzip
name: unzip
- id: volatility3
name: volatility3
- id: wget
name: wget
- id: xortool
name: xortool
- id: xxd
name: xxd
- id: yara
name: yara
- id: zipdump-py
name: zipdump.py
standard_tools:
- id: 7-zip
name: 7-Zip
- id: aeskeyfinder
name: AESKeyFinder
- id: androidprojectcreator
name: AndroidProjectCreator
- id: burp-suite-community-edition
name: Burp Suite Community Edition
- id: cobalt-strike-configuration-extractor-csce-and-parser
name: Cobalt Strike Configuration Extractor (CSCE) and Parser
- id: decompyle
name: Decompyle++
- id: epic-irc-client
name: EPIC IRC Client
- id: gnome-calculator
name: GNOME Calculator
- id: gnu-wget
name: GNU Wget
- id: ghidrassistmcp
name: GhidrAssistMCP
- id: hachoir
name: Hachoir
- id: hash-id
name: Hash ID
- id: jd-gui-java-decompiler
name: JD-GUI Java Decompiler
- id: javassist
name: Javassist
- id: malcat-lite
name: Malcat Lite
- id: network-miner-free-edition
name: Network Miner Free Edition
- id: procyon
name: Procyon
- id: remnux-installer
name: REMnux Installer
- id: rsakeyfinder
name: RSAKeyFinder
- id: sqlite
name: SQLite
- id: sleuth-kit
name: Sleuth Kit
- id: yara-forge-rules
name: YARA-Forge Rules
- id: anomy
name: anomy
- id: apkid
name: apkid
- id: autoit-ripper
name: autoit-ripper
- id: baksmali
name: baksmali
- id: balbuzard
name: balbuzard
- id: binee-binary-emulation-environment
name: binee (Binary Emulation Environment)
- id: bulk-extractor
name: bulk-extractor
- id: cabextract
name: cabextract
- id: cast
name: cast
- id: chepy
name: chepy
- id: cut-bytes-py
name: cut-bytes.py
- id: decode-vbe-py
name: decode-vbe.py
- id: dex2jar
name: dex2jar
- id: dexray
name: dexray
- id: disitool
name: disitool
- id: dissect
name: dissect
- id: dnfile
name: dnfile
- id: dnslib
name: dnslib
- id: dnsresolver-py
name: dnsresolver.py
- id: docker
name: docker
- id: dos2unix
name: dos2unix
- id: dotnetfile
name: dotnetfile
- id: droidlysis
name: droidlysis
- id: evince
name: evince
- id: ex-pe-xor
name: ex-pe-xor
- id: fakemail
name: fakemail
- id: file-magic-py
name: file-magic.py
- id: firefox
name: firefox
- id: format-bytes-py
name: format-bytes.py
- id: goresym
name: goresym
- id: hex-to-bin-py
name: hex-to-bin.py
- id: ibus
name: ibus
- id: imagemagick
name: imagemagick
- id: inspircd
name: inspircd
- id: ipwhois
name: ipwhois
- id: java-idx-parser
name: java-idx-parser
- id: jstillery
name: jstillery
- id: libemu
name: libemu
- id: libolecf
name: libolecf
- id: lief
name: lief
- id: magika
name: magika
- id: mbcscan
name: mbcscan
- id: monodis
name: monodis
- id: msgconvert
name: msgconvert
- id: msitools
name: msitools
- id: msoffcrypto-crack-py
name: msoffcrypto-crack.py
- id: msoffice-crypt
name: msoffice-crypt
- id: myip
name: myip
- id: myjson-filter-py
name: myjson-filter.py
- id: name-that-hash
name: name-that-hash
- id: nasm
name: nasm
- id: nautilus
name: nautilus
- id: nginx
name: nginx
- id: nomorexor
name: nomorexor
- id: nsrllookup
name: nsrllookup
- id: objdump
name: objdump
- id: objects-js
name: objects.js
- id: olefile
name: olefile
- id: onedump-py
name: onedump.py
- id: opencode
name: opencode
- id: openssh
name: openssh
- id: origami
name: origamindee
- id: pcodedmp
name: pcodedmp
- id: pdnstool
name: pdnstool
- id: powershell
name: powershell
- id: pyinstaller-extractor
name: pyinstaller-extractor
- id: re-search-py
name: re-search.py
- id: redress
name: redress
- id: remnux-mcp-server
name: remnux-mcp-server
- id: sandfly-processdecloak
name: sandfly-processdecloak
- id: scalpel
name: scalpel
- id: scite
name: scite
- id: sets-py
name: sets.py
- id: shellcode2exe-bat
name: shellcode2exe-bat
- id: signsrch
name: signsrch
- id: sortcanon-py
name: sortcanon.py
- id: ssview
name: ssview
- id: tcpick
name: tcpick
- id: tesseract-ocr
name: tesseract-ocr
- id: texteditor-py
name: texteditor.py
- id: thefuzz
name: thefuzz
- id: time-decode
name: time-decode
- id: tor
name: tor
- id: unhide
name: unhide
- id: unicode
name: unicode
- id: unxor
name: unxor
- id: vbindiff
name: vbindiff
- id: virustotal-search
name: virustotal-search
- id: virustotal-submit
name: virustotal-submit
- id: wxhexeditor
name: wxhexeditor
- id: xmldump-py
name: xmldump.py
- id: xor-kpa-py
name: xor-kpa.py
- id: xorbruteforcer
name: xorbruteforcer
- id: xorstrings
name: xorstrings
- id: yara-x
name: yara-x
- id: zbarimg
name: zbarimg
data/remnux/sources/remnux-docs.yaml
+1846
View File
File diff suppressed because it is too large Load Diff
data/remnux/sources/salt-states.yaml
+1888
View File
File diff suppressed because it is too large Load Diff
data/remnux/tool-enrichments.yaml
+262
View File
@@ -0,0 +1,262 @@
# Manual enrichments for tools not covered by FOR610
# These provide usage examples and descriptions for Priority 1-2 tools
# Merged into tools-master.yaml by build-master-inventory.py
enrichments:
# === MEMORY FORENSICS ===
volatility3:
description: "Memory forensics framework — analyze RAM dumps to find malware, hidden processes, network connections, and injected code"
typical_usage:
- "vol3 -f <memory_dump> windows.info"
- "vol3 -f <memory_dump> windows.pslist"
- "vol3 -f <memory_dump> windows.pstree"
- "vol3 -f <memory_dump> windows.netscan"
- "vol3 -f <memory_dump> windows.malfind"
- "vol3 -f <memory_dump> windows.dlllist --pid <PID>"
- "vol3 -f <memory_dump> windows.dumpfiles --pid <PID>"
tags: [memory, forensics, volatility, incident-response]
# === NETWORK ===
fakenet-ng:
description: "Emulate network services (HTTP, DNS, SMTP, FTP) to intercept and analyze malware traffic dynamically"
typical_usage:
- "fakenet"
- "fakenet -c custom_config.ini"
tags: [network, emulation, dynamic-analysis, c2]
mitmproxy:
description: "Interactive HTTPS proxy for intercepting, inspecting, and modifying encrypted web traffic"
typical_usage:
- "mitmproxy"
- "mitmdump -w capture.flow"
- "mitmproxy --mode transparent"
tags: [network, https, proxy, tls, interception]
polarproxy:
description: "Transparent TLS proxy that decrypts traffic and saves it as PCAP for analysis in Wireshark"
typical_usage:
- "PolarProxy -p 443,80 -w captured.pcap"
tags: [network, tls, decryption, pcap]
networkminer:
description: "Passive network traffic analyzer — extracts files, images, credentials from PCAP captures"
typical_usage:
- "NetworkMiner --pcap <capture.pcap>"
tags: [network, pcap, file-carving, passive]
ngrep:
description: "Search network traffic for patterns — like grep for packets"
typical_usage:
- "ngrep -I <capture.pcap> 'password'"
- "ngrep -d eth0 'GET|POST' 'tcp port 80'"
tags: [network, search, pattern-matching]
tcpflow:
description: "Extract and reassemble TCP streams from PCAP files into individual files"
typical_usage:
- "tcpflow -r <capture.pcap> -o output/"
tags: [network, tcp, stream-extraction]
tcpxtract:
description: "Carve files from network traffic using file signatures"
typical_usage:
- "tcpxtract -f <capture.pcap> -o output/"
tags: [network, file-carving, pcap]
# === DYNAMIC ANALYSIS ===
frida:
description: "Dynamic instrumentation toolkit — hook and trace running processes, intercept function calls in real time"
typical_usage:
- "frida -l hook.js <process_name>"
- "frida-trace -i 'recv*' <process_name>"
- "frida-ps -U"
tags: [dynamic, instrumentation, hooking, tracing]
qiling:
description: "Multi-platform binary emulation framework — emulate PE, ELF, shellcode across OS/arch combinations"
typical_usage:
- "python3 -c \"from qiling import Qiling; ql = Qiling(['<sample>'], '/path/to/rootfs')\""
tags: [emulation, multi-platform, binary-analysis]
vivisect:
description: "Binary analysis and emulation framework — static analysis with emulation capabilities"
typical_usage:
- "vivbin <sample>"
- "python3 -c \"import vivisect; vw = vivisect.VivWorkspace(); vw.loadFromFile('<sample>')\""
tags: [emulation, static-analysis, binary-analysis]
# === ANDROID ===
androguard:
description: "Analyze Android APK files — extract permissions, activities, intents, and decompile DEX code"
typical_usage:
- "androguard analyze <app.apk>"
- "androguard decompile -o output/ <app.apk>"
- "androgui.py <app.apk>"
tags: [android, apk, permissions, decompilation]
apktool:
description: "Decompile and recompile Android APK files — extract resources, smali code, and manifest"
typical_usage:
- "apktool d <app.apk> -o output/"
- "apktool b output/ -o rebuilt.apk"
tags: [android, apk, decompilation, resources]
jadx:
description: "Decompile Android DEX/APK to Java source code with a GUI or command line"
typical_usage:
- "jadx <app.apk> -d output/"
- "jadx-gui <app.apk>"
tags: [android, dex, java, decompilation]
# === JAVA ===
cfr:
description: "Modern Java decompiler — handles Java 8+ features including lambdas and try-with-resources"
typical_usage:
- "cfr <file.jar> --outputdir output/"
- "cfr <file.class>"
tags: [java, decompilation, jar]
jd-gui:
description: "Visual Java decompiler with GUI — browse and search decompiled JAR/class files"
typical_usage:
- "jd-gui <file.jar>"
tags: [java, decompilation, gui]
# === PYTHON REVERSING ===
uncompyle6:
description: "Decompile Python bytecode (.pyc) back to source — supports Python 1.0 through 3.8"
typical_usage:
- "uncompyle6 <file.pyc>"
- "uncompyle6 -o output/ <file.pyc>"
tags: [python, decompilation, bytecode]
pyinstxtractor-ng:
description: "Extract contents of PyInstaller-generated executables without needing matching Python version"
typical_usage:
- "pyinstxtractor-ng <packed_exe>"
tags: [python, pyinstaller, extraction]
# === OFFICE ===
xlmmacrodeobfuscator:
description: "Deobfuscate Excel 4.0 (XLM) macros — these hide in hidden sheets and are hard to detect"
typical_usage:
- "xlmdeobfuscator --file <spreadsheet.xlsm>"
- "xlmdeobfuscator --file <spreadsheet.xlsm> --no-indent"
tags: [office, excel, xlm, macro, deobfuscation]
pcode2code:
description: "Decompile VBA p-code from Office documents — works even when VBA source is removed"
typical_usage:
- "pcode2code <document.docm>"
tags: [office, vba, p-code, decompilation]
msoffcrypto-tool:
description: "Decrypt password-protected Microsoft Office documents (OLE and OOXML)"
typical_usage:
- "msoffcrypto-tool -p infected <encrypted.docx> <decrypted.docx>"
- "msoffcrypto-tool -p password <encrypted.xlsx> <decrypted.xlsx>"
tags: [office, decryption, password]
# === DEOBFUSCATION ===
xortool:
description: "Analyze XOR-encoded data — guess key length and probable key bytes"
typical_usage:
- "xortool <encoded_file>"
- "xortool-xor -s 'key' -i <input> -o <output>"
tags: [xor, deobfuscation, key-recovery]
malchive:
description: "Multi-purpose malware analysis library — config extraction, deobfuscation, and static analysis"
typical_usage:
- "malchive <sample>"
tags: [malware, config-extraction, deobfuscation]
dc3-mwcp:
description: "DC3 Malware Configuration Parser — extract C2 configs from known malware families"
typical_usage:
- "mwcp parse <sample>"
- "mwcp parse -p Emotet <sample>"
tags: [malware, config-extraction, c2]
# === SHELLCODE ===
shcode2exe:
description: "Convert raw shellcode to a Windows PE executable for analysis in disassemblers"
typical_usage:
- "shcode2exe <shellcode.bin> <output.exe>"
tags: [shellcode, conversion, pe]
# === COBALT STRIKE ===
cs-decrypt-metadata-py:
description: "Decrypt Cobalt Strike beacon metadata from network captures"
typical_usage:
- "cs-decrypt-metadata.py <metadata_hex>"
tags: [cobalt-strike, decryption, metadata]
cs-extract-key-py:
description: "Extract AES and HMAC encryption keys from Cobalt Strike beacon process memory dumps"
typical_usage:
- "cs-extract-key.py -f <process_dump>"
tags: [cobalt-strike, encryption, key-extraction]
cs-parse-traffic-py:
description: "Decrypt and parse Cobalt Strike beacon network traffic using extracted keys"
typical_usage:
- "cs-parse-traffic.py -f <capture.pcap> -k <keys_file>"
tags: [cobalt-strike, traffic, decryption]
cs-analyze-processdump-py:
description: "Analyze Cobalt Strike beacon process dumps for sleep mask encoding"
typical_usage:
- "cs-analyze-processdump.py <process_dump>"
tags: [cobalt-strike, sleep-mask, memory]
malwoverview:
description: "Query VirusTotal, Hybrid Analysis, and MalwareBazaar for malware intelligence"
typical_usage:
- "malwoverview -v <hash>"
- "malwoverview -f <sample>"
tags: [threat-intel, virustotal, malware-bazaar]
ioc-parser:
description: "Extract indicators of compromise (IOCs) from PDF reports and text files"
typical_usage:
- "ioc_parser <report.pdf>"
tags: [ioc, extraction, threat-intel]
# === EMAIL ===
mail-parser:
description: "Parse raw SMTP email messages and extract headers, body, and attachments"
typical_usage:
- "python3 -c \"import mailparser; mail = mailparser.parse_from_file('<email.eml>'); print(mail.subject)\""
tags: [email, parsing, attachments]
msg-extractor:
description: "Extract emails and attachments from Microsoft Outlook MSG files"
typical_usage:
- "extract_msg <email.msg>"
- "extract_msg --out-dir output/ <email.msg>"
tags: [email, msg, outlook, attachments]
# === DATA ANALYSIS ===
ssdeep:
description: "Compute fuzzy hashes (CTPH) for finding similar files — useful for malware variant clustering"
typical_usage:
- "ssdeep <sample>"
- "ssdeep -m <known.ssdeep> <sample>"
- "ssdeep -d <sample1> <sample2>"
tags: [hashing, fuzzy, similarity, clustering]
clamav:
description: "Open-source antivirus — scan files for known malware signatures"
typical_usage:
- "clamscan <sample>"
- "clamscan -r <directory>/"
- "freshclam"
tags: [antivirus, scanning, signatures]
unfurl:
description: "Deconstruct and decode URLs — reveal tracking parameters, encoded data, and redirect chains"
typical_usage:
- "unfurl parse <url>"
tags: [url, decoding, phishing, tracking]
data/remnux/tools-master.yaml
+11823
View File
File diff suppressed because it is too large Load Diff