# FOR610 Master Tool Catalog # Comprehensive inventory of all tools referenced in SANS FOR610 course # Each tool includes platform, availability, lab references, and usage examples tools: # ============================================================ # PDF ANALYSIS # ============================================================ - id: pdfid-py name: "pdfid.py" aliases: ["pdfid"] description: "Scan PDF files for suspicious keywords like /JavaScript, /OpenAction, /Launch without parsing" category: pdf-analysis platform: linux in_remnux: true author: "Didier Stevens" labs: ["3.1"] typical_usage: - "pdfid.py document.pdf" - "pdfid.py -n document.pdf" for610_sections: [1, 3] tags: [pdf, static-analysis, triage, didier-stevens] - id: pdf-parser-py name: "pdf-parser.py" aliases: ["pdf-parser"] description: "Parse PDF structure, locate objects, extract content, and search for strings" category: pdf-analysis platform: linux in_remnux: true author: "Didier Stevens" labs: ["3.1"] typical_usage: - "pdf-parser.py document.pdf -a" - "pdf-parser.py document.pdf -s /URI" - "pdf-parser.py document.pdf -k /URI" - "pdf-parser.py document.pdf -o 6 -d object6.jpg" for610_sections: [1, 3] tags: [pdf, static-analysis, object-extraction, didier-stevens] - id: peepdf name: "peepdf" aliases: [] description: "Interactive PDF analysis framework with JavaScript detection and exploitation capabilities" category: pdf-analysis platform: linux in_remnux: true labs: [] typical_usage: - "peepdf -i malicious.pdf" - "peepdf -f -i malicious.pdf" for610_sections: [1] tags: [pdf, interactive, javascript-detection] - id: pdftool-py name: "pdftool.py" aliases: [] description: "Analyze PDF incremental updates" category: pdf-analysis platform: linux in_remnux: true author: "Didier Stevens" labs: [] typical_usage: - "pdftool.py document.pdf" for610_sections: [1] tags: [pdf, didier-stevens] - id: pdfresurrect name: "pdfresurrect" aliases: [] description: "Extract and analyze previous versions from PDF files" category: pdf-analysis platform: linux in_remnux: true labs: [] typical_usage: - "pdfresurrect document.pdf" for610_sections: [1] tags: [pdf, versioning] - id: qpdf name: "qpdf" aliases: [] description: "Decrypt, linearize, and transform PDF files — useful for removing password protection" category: pdf-analysis platform: linux in_remnux: true labs: [] typical_usage: - "qpdf --decrypt encrypted.pdf output.pdf" for610_sections: [3] tags: [pdf, decryption, transformation] - id: pdftk name: "pdftk" aliases: [] description: "Manipulate PDF files — merge, split, flatten, encrypt, and extract embedded content" category: pdf-analysis platform: linux in_remnux: true labs: [] typical_usage: - "pdftk input.pdf cat output output.pdf flatten" - "pdftk input.pdf unpack_files" for610_sections: [3] tags: [pdf, manipulation, extraction] # ============================================================ # DOCUMENT & MACRO ANALYSIS # ============================================================ - id: oledump-py name: "oledump.py" aliases: ["oledump"] description: "Analyze OLE2 files (Office documents), extract streams and VBA macros" category: document-analysis platform: linux in_remnux: true author: "Didier Stevens" labs: ["3.3", "3.4", "4.5"] typical_usage: - "oledump.py document.docm" - "oledump.py document.docm -s A3 -v" - "oledump.py document.docm -i" for610_sections: [3, 4] tags: [office, vba, macro, ole, didier-stevens] - id: olevba name: "olevba" aliases: [] description: "Extract and analyze VBA macros from Office documents with deobfuscation" category: document-analysis platform: linux in_remnux: true labs: [] typical_usage: - "olevba document.docm" - "olevba --deobf document.docm" for610_sections: [3] tags: [office, vba, macro, deobfuscation] - id: evilclippy name: "evilclippy" aliases: [] description: "Remove VBA project password protection and manipulate Office macro settings" category: document-analysis platform: both in_remnux: true labs: [] typical_usage: - "evilclippy -uu document.docm" for610_sections: [3] tags: [office, vba, password-removal] - id: rtfdump-py name: "rtfdump.py" aliases: ["rtfdump"] description: "Analyze RTF file structure, identify hex-encoded groups and embedded objects" category: document-analysis platform: linux in_remnux: true author: "Didier Stevens" labs: ["3.5"] typical_usage: - "rtfdump.py document.rtf" - "rtfdump.py document.rtf -s 5 -H -d > extracted.bin" for610_sections: [3] tags: [rtf, document, didier-stevens] - id: base64dump-py name: "base64dump.py" aliases: ["base64dump"] description: "Extract and decode Base64-encoded strings from files" category: document-analysis platform: linux in_remnux: true author: "Didier Stevens" labs: ["3.4", "4.5"] typical_usage: - "base64dump.py file.txt" - "base64dump.py file.ps1 -n 10" - "base64dump.py file.ps1 -s 2 -d" for610_sections: [3, 4] tags: [base64, decoding, didier-stevens] - id: emldump-py name: "emldump.py" aliases: ["emldump"] description: "Parse and analyze EML email message files" category: document-analysis platform: linux in_remnux: true author: "Didier Stevens" labs: [] typical_usage: - "emldump.py message.eml" for610_sections: [3] tags: [email, eml, didier-stevens] - id: zipdump-py name: "zipdump.py" aliases: ["zipdump"] description: "Parse and analyze ZIP archive structure" category: document-analysis platform: linux in_remnux: true author: "Didier Stevens" labs: [] typical_usage: - "zipdump.py archive.zip" for610_sections: [3] tags: [zip, archive, didier-stevens] - id: numbers-to-string-py name: "numbers-to-string.py" aliases: [] description: "Convert sequences of decimal numbers to readable characters" category: document-analysis platform: linux in_remnux: true author: "Didier Stevens" labs: ["3.3"] typical_usage: - "oledump.py doc.docm -s A3 -v | numbers-to-string.py -j" for610_sections: [3] tags: [decoding, deobfuscation, didier-stevens] - id: translate-py name: "translate.py" aliases: [] description: "Transform data using Python expressions (XOR, ADD, etc.)" category: document-analysis platform: linux in_remnux: true author: "Didier Stevens" labs: ["3.4"] typical_usage: - "translate.py \"byte ^ 35\" < input.bin > output.bin" for610_sections: [3] tags: [xor, transformation, decoding, didier-stevens] # ============================================================ # STATIC ANALYSIS (PE) # ============================================================ - id: pestudio name: "PeStudio" aliases: [] description: "GUI tool for examining static properties of PE files — imports, strings, sections, entropy, indicators" category: static-analysis-pe platform: windows in_remnux: false labs: ["1.1", "1.5", "2.7", "3.10", "3.12", "4.1", "4.2", "4.3", "4.7", "4.8", "5.3", "5.4", "5.8", "5.9", "5.10"] typical_usage: - "pestudio.exe specimen.exe" for610_sections: [1, 2, 3, 4, 5] tags: [pe, static-analysis, imports, strings, entropy, triage] - id: peframe name: "peframe" aliases: [] description: "Static analysis of PE files — extract properties, detect anomalies, identify packers" category: static-analysis-pe platform: linux in_remnux: true labs: ["1.1", "4.8"] typical_usage: - "peframe specimen.exe" for610_sections: [1, 4] tags: [pe, static-analysis, triage] - id: pestr name: "pestr" aliases: [] description: "Extract ASCII and Unicode strings from PE files" category: static-analysis-pe platform: linux in_remnux: true labs: ["1.1", "4.8"] typical_usage: - "pestr specimen.exe" for610_sections: [1, 4] tags: [pe, strings, static-analysis] - id: strings name: "strings" aliases: [] description: "Extract printable ASCII and Unicode strings from binary files" category: static-analysis-pe platform: linux in_remnux: true labs: ["3.4", "5.2"] typical_usage: - "strings binary.exe" - "strings -n 10 binary.exe" - "strings --encoding=l binary.exe" for610_sections: [1, 3] tags: [strings, static-analysis, triage] - id: bytehist name: "Bytehist" aliases: [] description: "Generate byte-usage histograms to visually identify packed or encrypted sections in binaries" category: static-analysis-pe platform: both in_remnux: true labs: [] typical_usage: - "bytehist specimen.exe" for610_sections: [1, 4] tags: [pe, entropy, packing-detection, histogram] - id: diec name: "diec" aliases: ["Detect It Easy", "DIE"] description: "Detect packers, compilers, and tools used to create executables" category: static-analysis-pe platform: both in_remnux: true labs: ["4.1"] typical_usage: - "diec specimen.exe" for610_sections: [1, 4] tags: [pe, packer-detection, compiler-detection] - id: exeinfo-pe name: "ExeInfo PE" aliases: ["ExeInfoPE", "ExeInfo"] description: "Identify tools and packers used to create PE executables" category: static-analysis-pe platform: windows in_remnux: false labs: ["3.12"] typical_usage: - "ExeInfoPE.exe specimen.exe" for610_sections: [1, 3] tags: [pe, packer-detection] - id: cff-explorer name: "CFF Explorer" aliases: [] description: "View and edit PE file headers, sections, imports, and resources" category: static-analysis-pe platform: windows in_remnux: false labs: [] typical_usage: - "CFF Explorer specimen.exe" for610_sections: [1] tags: [pe, header-editing, resources] - id: file name: "file" aliases: [] description: "Determine file type and MIME type using magic bytes" category: static-analysis-pe platform: linux in_remnux: true labs: ["3.4", "3.5"] typical_usage: - "file specimen.exe" - "file document.doc" for610_sections: [3] tags: [file-identification, triage] - id: trid name: "trid" aliases: [] description: "Identify file type by scanning binary signatures database" category: static-analysis-pe platform: linux in_remnux: true labs: ["3.3", "3.4"] typical_usage: - "trid document.doc" for610_sections: [3] tags: [file-identification, triage] - id: exiftool name: "exiftool" aliases: [] description: "Extract metadata from files (PDF, images, documents, executables)" category: static-analysis-pe platform: linux in_remnux: true labs: [] typical_usage: - "exiftool document.pdf" - "exiftool specimen.exe" for610_sections: [1] tags: [metadata, triage] # ============================================================ # BEHAVIORAL ANALYSIS # ============================================================ - id: system-informer name: "System Informer" aliases: ["Process Hacker"] description: "Monitor processes, network connections, handles, and system resources in real time" category: behavioral-analysis platform: windows in_remnux: false labs: ["1.2", "1.3", "1.6", "1.7", "1.8", "4.2", "4.5", "5.1"] typical_usage: - "SystemInformer.exe" for610_sections: [1, 4, 5] tags: [process-monitoring, handles, network, real-time] - id: process-monitor name: "Process Monitor" aliases: ["ProcMon", "procmon"] description: "Record file system, registry, process, and thread activity in real time" category: behavioral-analysis platform: windows in_remnux: false labs: ["1.2", "4.5"] typical_usage: - "Procmon.exe" for610_sections: [1, 4] tags: [filesystem, registry, process-monitoring, real-time] - id: regshot name: "Regshot" aliases: [] description: "Take and compare registry/filesystem snapshots before and after infection" category: behavioral-analysis platform: windows in_remnux: false labs: ["1.2"] typical_usage: - "Regshot-x64-Unicode.exe" for610_sections: [1] tags: [registry, filesystem, snapshot, comparison] - id: procdot name: "ProcDOT" aliases: [] description: "Visualize Process Monitor logs as interactive graphs for behavioral analysis" category: behavioral-analysis platform: both in_remnux: true labs: ["1.2", "4.5"] typical_usage: - "procdot" for610_sections: [1, 4] tags: [visualization, process-monitor, behavioral] - id: autoruns name: "Autoruns" aliases: [] description: "View and manage all autostart locations — startup programs, services, drivers, scheduled tasks" category: behavioral-analysis platform: windows in_remnux: false labs: [] typical_usage: - "Autoruns.exe" for610_sections: [1] tags: [persistence, autostart, startup] - id: api-monitor name: "API Monitor" aliases: [] description: "Monitor and record API calls made by processes" category: behavioral-analysis platform: windows in_remnux: false labs: [] typical_usage: - "apimonitor-x64.exe" for610_sections: [1] tags: [api-calls, monitoring, dynamic-analysis] - id: tcplogview name: "TcpLogView" aliases: [] description: "Log opened and closed TCP connections with process information" category: behavioral-analysis platform: windows in_remnux: false labs: [] typical_usage: - "TcpLogView.exe" for610_sections: [1] tags: [network, tcp, connection-logging] # ============================================================ # NETWORK ANALYSIS & INTERCEPTION # ============================================================ - id: wireshark name: "Wireshark" aliases: [] description: "GUI network protocol analyzer for capturing and inspecting packet-level traffic" category: network-analysis platform: both in_remnux: true labs: ["1.2", "1.3", "1.6", "1.7", "1.8", "5.1"] typical_usage: - "wireshark" - "wireshark -r capture.pcap" for610_sections: [1, 5] tags: [packet-capture, protocol-analysis, network] - id: tshark name: "tshark" aliases: [] description: "Command-line interface to Wireshark for packet capture and analysis" category: network-analysis platform: both in_remnux: true labs: [] typical_usage: - "tshark -r capture.pcap" - "tshark -i eth0 -w capture.pcap" for610_sections: [1] tags: [packet-capture, cli, network] - id: tcpdump name: "tcpdump" aliases: [] description: "Command-line packet capture tool" category: network-analysis platform: linux in_remnux: true labs: [] typical_usage: - "tcpdump -i eth0 -w capture.pcap" - "tcpdump -r capture.pcap" for610_sections: [1] tags: [packet-capture, cli, network] - id: fiddler name: "Fiddler" aliases: [] description: "HTTP/HTTPS debugging proxy for intercepting, inspecting, and modifying web traffic" category: network-analysis platform: windows in_remnux: false labs: ["3.2", "3.8", "3.9", "3.10", "3.11", "3.12", "4.5"] typical_usage: - "Fiddler.exe" for610_sections: [3, 4] tags: [http, https, proxy, web-traffic] - id: fakedns name: "fakedns" aliases: [] description: "Fake DNS server that resolves all queries to a specified IP for traffic interception" category: network-analysis platform: linux in_remnux: true labs: ["1.3", "1.6", "1.7", "1.8"] typical_usage: - "fakedns" for610_sections: [1] tags: [dns, spoofing, interception, lab-setup] - id: inetsim name: "INetSim" aliases: [] description: "Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for malware analysis in isolated labs" category: network-analysis platform: linux in_remnux: true labs: ["1.7"] typical_usage: - "inetsim" for610_sections: [1] tags: [service-emulation, network-simulation, lab-setup] - id: httpd name: "httpd" aliases: ["accept-all-ips"] description: "Simple HTTP server on REMnux for simulating C2 web servers" category: network-analysis platform: linux in_remnux: true labs: ["1.3", "1.6", "1.8"] typical_usage: - "httpd" for610_sections: [1] tags: [http, web-server, c2-simulation, lab-setup] - id: iptables name: "iptables" aliases: [] description: "Linux firewall and NAT tool for redirecting IP-based malware traffic" category: network-analysis platform: linux in_remnux: true labs: ["1.8"] typical_usage: - "iptables -t nat -A PREROUTING -i ens32 -j REDIRECT" for610_sections: [1] tags: [firewall, nat, traffic-redirection] - id: netcat name: "nc" aliases: ["netcat"] description: "Network utility for reading/writing data across TCP/UDP connections" category: network-analysis platform: both in_remnux: true labs: [] typical_usage: - "nc -l -p 3127" - "nc target_ip 80" for610_sections: [1] tags: [network, tcp, listener] - id: nslookup name: "nslookup" aliases: [] description: "DNS query tool for testing name resolution" category: network-analysis platform: both in_remnux: true labs: ["1.3"] typical_usage: - "nslookup domain.com" for610_sections: [1] tags: [dns, testing] - id: thug name: "Thug" aliases: [] description: "Low-interaction honeyclient for analyzing malicious websites and drive-by downloads" category: network-analysis platform: linux in_remnux: true labs: [] typical_usage: - "thug -u win7chrome49 http://suspicious-site.com" for610_sections: [3] tags: [honeyclient, web-analysis, drive-by] - id: burp-suite name: "Burp Suite" aliases: ["Burp"] description: "Web application security proxy for intercepting and modifying HTTP/HTTPS traffic" category: network-analysis platform: both in_remnux: false labs: [] typical_usage: - "burpsuite" for610_sections: [3] tags: [http, https, proxy, web-security] - id: torsocks name: "torsocks" aliases: [] description: "Route network traffic through the Tor anonymity network" category: network-analysis platform: linux in_remnux: true labs: [] typical_usage: - "torsocks curl http://example.onion" for610_sections: [1] tags: [tor, anonymity, network-routing] # ============================================================ # CODE ANALYSIS & DISASSEMBLY # ============================================================ - id: ghidra name: "Ghidra" aliases: [] description: "Open-source disassembler and decompiler from NSA with scripting, function graphs, and data type management" category: code-analysis platform: both in_remnux: true labs: ["2.1", "2.2", "2.3", "2.4", "2.5", "2.6", "2.7", "2.8", "4.9", "5.2", "5.4", "5.5", "5.6", "5.7", "5.9"] typical_usage: - "ghidra" for610_sections: [2, 4, 5] tags: [disassembly, decompilation, code-analysis, function-graph] - id: ida name: "IDA" aliases: ["IDA Pro", "IDA Freeware"] description: "Commercial interactive disassembler and debugger from Hex-Rays" category: code-analysis platform: both in_remnux: false labs: [] typical_usage: - "ida64.exe specimen.exe" for610_sections: [2] tags: [disassembly, decompilation, commercial] - id: binary-ninja name: "Binary Ninja" aliases: [] description: "Commercial disassembler with strong automated analysis and scripting" category: code-analysis platform: both in_remnux: false labs: [] typical_usage: - "binaryninja specimen.exe" for610_sections: [2] tags: [disassembly, commercial] - id: cutter name: "Cutter" aliases: [] description: "Open-source reverse engineering platform — Qt-based GUI for radare2" category: code-analysis platform: both in_remnux: true labs: [] typical_usage: - "cutter specimen.exe" for610_sections: [2] tags: [disassembly, radare2, open-source] - id: radare2 name: "radare2" aliases: ["r2"] description: "Open-source reverse engineering command-line framework" category: code-analysis platform: both in_remnux: true labs: [] typical_usage: - "r2 specimen.exe" for610_sections: [2] tags: [disassembly, cli, open-source] # ============================================================ # DEBUGGING # ============================================================ - id: x64dbg name: "x64dbg" aliases: [] description: "Open-source 64-bit debugger for dynamic malware analysis — breakpoints, memory inspection, patching" category: debugging platform: windows in_remnux: false labs: ["1.5", "4.3", "4.4", "5.1"] typical_usage: - "x64dbg.exe specimen.exe" for610_sections: [1, 4, 5] tags: [debugger, 64-bit, dynamic-analysis, breakpoints] - id: x32dbg name: "x32dbg" aliases: [] description: "Open-source 32-bit debugger for dynamic malware analysis — breakpoints, memory inspection, patching" category: debugging platform: windows in_remnux: false labs: ["3.5", "3.10", "4.6", "4.7", "5.3", "5.4", "5.5", "5.6", "5.7", "5.8", "5.9", "5.10"] typical_usage: - "x32dbg.exe specimen.exe" for610_sections: [3, 4, 5] tags: [debugger, 32-bit, dynamic-analysis, breakpoints] - id: ollydbg name: "OllyDbg" aliases: [] description: "Classic 32-bit debugger for Windows (legacy, predecessor to x32dbg)" category: debugging platform: windows in_remnux: false labs: [] typical_usage: - "ollydbg.exe specimen.exe" for610_sections: [4, 5] tags: [debugger, 32-bit, legacy] - id: windbg name: "WinDbg" aliases: [] description: "Microsoft Windows debugger for kernel and user-mode debugging" category: debugging platform: windows in_remnux: false labs: [] typical_usage: - "windbg.exe specimen.exe" for610_sections: [2] tags: [debugger, kernel, microsoft] # ============================================================ # EMULATION & SANDBOXING # ============================================================ - id: speakeasy name: "speakeasy" aliases: [] description: "Windows binary emulator — emulates API calls to analyze malware behavior without native execution" category: emulation platform: linux in_remnux: true labs: ["1.4"] typical_usage: - "speakeasy -t specimen.exe -o report.json 2> report.txt" - "speakeasy -t shellcode.bin -r -a x86" for610_sections: [1] tags: [emulation, api-calls, behavioral-analysis] - id: scdbgc name: "scdbgc" aliases: ["scdbg"] description: "Shellcode emulator — analyze shellcode behavior through API-level emulation" category: emulation platform: both in_remnux: true labs: ["3.4", "3.5", "4.6"] typical_usage: - "scdbgc /f shellcode.bin /s -1" - "scdbgc /f shellcode.bin /foff 0x3B /fopen qa.doc" - "scdbgc /f shellcode.bin /s -1 /norw" for610_sections: [3, 4] tags: [shellcode, emulation, api-calls] - id: runsc32 name: "runsc32" aliases: ["runsc"] description: "Execute extracted shellcode for dynamic analysis" category: emulation platform: windows in_remnux: false labs: ["3.5", "4.6"] typical_usage: - "runsc32 -f shellcode.bin -o 0x3B -d qa.doc" for610_sections: [3, 4] tags: [shellcode, execution, dynamic-analysis] - id: box-js name: "box-js" aliases: [] description: "JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript APIs" category: emulation platform: linux in_remnux: true labs: [] typical_usage: - "box-js --output-dir=/tmp suspicious.js" for610_sections: [3] tags: [javascript, sandbox, emulation] # ============================================================ # UNPACKING & DUMPING # ============================================================ - id: upx name: "UPX" aliases: ["upx"] description: "Universal Packer for eXecutables — compress and decompress PE files" category: unpacking platform: both in_remnux: true labs: ["4.2"] typical_usage: - "upx -d packed.exe" - "upx -d packed.exe -o unpacked.exe" for610_sections: [4] tags: [packer, unpacker, compression] - id: scylla name: "Scylla" aliases: [] description: "Dump processes from memory and reconstruct import address tables (IAT)" category: unpacking platform: windows in_remnux: false labs: ["4.2", "4.3", "5.4", "5.8", "5.10"] typical_usage: - "Scylla x64 > Attach to process > Dump > IAT Autosearch > Fix Dump" for610_sections: [4, 5] tags: [memory-dump, iat-reconstruction, unpacking] - id: ollydumpex name: "OllyDumpEx" aliases: [] description: "x64dbg/x32dbg plugin for dumping unpacked process memory to disk" category: unpacking platform: windows in_remnux: false labs: ["4.3", "5.4", "5.8"] typical_usage: - "Plugins > OllyDumpEx > Dump process" for610_sections: [4, 5] tags: [memory-dump, x64dbg-plugin, unpacking] - id: pe-unmapper name: "pe_unmapper" aliases: [] description: "Convert dumped PE from virtual memory alignment to raw disk alignment" category: unpacking platform: windows in_remnux: false labs: ["5.10"] typical_usage: - "pe_unmapper /in dumped.exe /base 400000 /out fixed.exe" for610_sections: [5] tags: [pe-fixup, memory-dump, alignment] - id: setdllcharacteristics name: "setdllcharacteristics" aliases: [] description: "Modify PE header flags — commonly used to disable ASLR (DynamicBase)" category: unpacking platform: windows in_remnux: false author: "Didier Stevens" labs: ["4.2"] typical_usage: - "setdllcharacteristics -d specimen.exe" for610_sections: [4] tags: [pe-header, aslr, didier-stevens] # ============================================================ # .NET ANALYSIS # ============================================================ - id: ilspy name: "ILSpy" aliases: [] description: ".NET assembly decompiler — view C#/VB.NET source from compiled .NET binaries" category: dotnet-analysis platform: windows in_remnux: false labs: ["3.12", "4.8"] typical_usage: - "ILSpy.exe assembly.exe" for610_sections: [3, 4] tags: [dotnet, decompiler, csharp] - id: ilspycmd name: "ilspycmd" aliases: [] description: "Command-line .NET decompiler (CLI version of ILSpy)" category: dotnet-analysis platform: linux in_remnux: true labs: ["4.8"] typical_usage: - "ilspycmd assembly.exe > decompiled.cs" for610_sections: [4] tags: [dotnet, decompiler, cli] - id: dnspyex name: "dnSpyEx" aliases: ["dnSpy"] description: ".NET debugger and decompiler — debug obfuscated/packed .NET malware with breakpoints" category: dotnet-analysis platform: windows in_remnux: false labs: ["4.8"] typical_usage: - "dnSpyEx.exe assembly.exe" for610_sections: [4] tags: [dotnet, debugger, decompiler] - id: de4dot name: "de4dot" aliases: [] description: ".NET deobfuscator — remove obfuscation from .NET assemblies" category: dotnet-analysis platform: both in_remnux: true labs: ["4.8"] typical_usage: - "de4dot obfuscated.exe" for610_sections: [4] tags: [dotnet, deobfuscation] - id: dotpeek name: "dotPeek" aliases: [] description: "Free JetBrains .NET decompiler — alternative to ILSpy for viewing .NET source" category: dotnet-analysis platform: windows in_remnux: false labs: [] typical_usage: - "dotPeek.exe assembly.exe" for610_sections: [4] tags: [dotnet, decompiler, jetbrains] - id: dotdumper name: "DotDumper" aliases: [] description: "Execution monitor and memory extractor for automatic .NET malware unpacking" category: dotnet-analysis platform: windows in_remnux: false labs: [] typical_usage: - "DotDumper.exe -file chatroom.exe" for610_sections: [4] tags: [dotnet, unpacking, memory-extraction, automated] # ============================================================ # JAVASCRIPT ANALYSIS # ============================================================ - id: spidermonkey name: "SpiderMonkey" aliases: ["js"] description: "Mozilla JavaScript engine — execute and deobfuscate malicious JavaScript outside a browser" category: javascript-analysis platform: linux in_remnux: true labs: ["3.6", "3.7", "4.5"] typical_usage: - "js -f malicious.js" - "js -f /usr/share/remnux/objects.js -f malicious.js > decoded.js" for610_sections: [3, 4] tags: [javascript, deobfuscation, execution] - id: js-beautify name: "js-beautify" aliases: [] description: "Format and beautify obfuscated JavaScript code for readability" category: javascript-analysis platform: linux in_remnux: true labs: ["3.6", "4.5"] typical_usage: - "js-beautify malicious.js > beautified.js" for610_sections: [3] tags: [javascript, formatting, readability] - id: cscript name: "CScript" aliases: ["cscript.exe"] description: "Windows Script Host command-line — execute JScript/VBScript for AMSI monitoring" category: javascript-analysis platform: windows in_remnux: false labs: ["3.6"] typical_usage: - "cscript malicious.js" for610_sections: [3] tags: [javascript, vbscript, windows-script-host] # ============================================================ # POWERSHELL ANALYSIS # ============================================================ - id: powershell-ise name: "PowerShell ISE" aliases: ["powershell_ise"] description: "PowerShell Integrated Scripting Environment — debug scripts with breakpoints and variable inspection" category: powershell-analysis platform: windows in_remnux: false labs: ["3.9", "3.11", "4.5"] typical_usage: - "powershell_ise script.ps1" for610_sections: [3, 4] tags: [powershell, debugger, script-analysis] - id: logman name: "logman" aliases: [] description: "Windows Event Trace session manager — enable AMSI script content logging" category: powershell-analysis platform: windows in_remnux: false labs: ["3.6"] typical_usage: - "logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets" - "logman stop AMSITrace -ets" for610_sections: [3] tags: [amsi, event-tracing, monitoring] - id: amsiscriptcontentretrieval name: "AMSIScriptContentRetrieval" aliases: [] description: "Extract monitored script content from AMSI Event Trace logs" category: powershell-analysis platform: windows in_remnux: false labs: ["3.6"] typical_usage: - "AMSIScriptContentRetrieval AMSITrace.etl > output.txt" for610_sections: [3] tags: [amsi, script-extraction] # ============================================================ # STRING & DATA DEOBFUSCATION # ============================================================ - id: floss name: "FLOSS" aliases: ["floss"] description: "Automatically extract obfuscated strings from malware using static analysis, stack strings, and emulation" category: string-deobfuscation platform: both in_remnux: true labs: ["5.2", "5.3"] typical_usage: - "floss specimen.exe" - "floss specimen.exe > strings-output.txt" - "floss --no-static -- specimen.exe" for610_sections: [5] tags: [strings, deobfuscation, automated] - id: xorsearch name: "XORSearch" aliases: [] description: "Search for XOR/ROL/ROT/SHIFT-encoded patterns including shellcode signatures" category: string-deobfuscation platform: linux in_remnux: true author: "Didier Stevens" labs: ["3.5", "5.2"] typical_usage: - "XORSearch -W -d 3 file.bin" - "XORSearch -i -s specimen.exe http:" for610_sections: [3, 5] tags: [xor, shellcode-detection, pattern-search, didier-stevens] - id: brxor-py name: "brxor.py" aliases: [] description: "Brute-force XOR key detection for single-byte XOR-encoded strings" category: string-deobfuscation platform: linux in_remnux: true labs: ["5.2"] typical_usage: - "brxor.py specimen.dll" for610_sections: [5] tags: [xor, brute-force, deobfuscation] - id: bbcrack name: "bbcrack" aliases: [] description: "Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms" category: string-deobfuscation platform: linux in_remnux: true labs: ["5.2"] typical_usage: - "bbcrack -l 1 specimen.dll" for610_sections: [5] tags: [xor, rol, add, deobfuscation, balbuzard] - id: strdeob-pl name: "strdeob.pl" aliases: [] description: "Automatically decode stack-built strings from disassembled malware" category: string-deobfuscation platform: linux in_remnux: true labs: ["5.2"] typical_usage: - "strdeob.pl specimen.exe" for610_sections: [5] tags: [stack-strings, deobfuscation] - id: cyberchef name: "CyberChef" aliases: [] description: "Web-based data transformation tool — decode Base64, XOR, hex, decompress, and chain operations" category: string-deobfuscation platform: both in_remnux: true labs: ["1.5", "3.8", "3.12"] typical_usage: - "cyberchef" for610_sections: [1, 3] tags: [decoding, encoding, transformation, web-based] # ============================================================ # YARA & CAPABILITY DETECTION # ============================================================ - id: capa name: "capa" aliases: [] description: "Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog" category: yara-detection platform: both in_remnux: true labs: ["1.4", "5.4"] typical_usage: - "capa specimen.exe" - "capa -vv specimen.exe" - "capa -vv specimen.exe | grep -A7 'Suspended Process'" for610_sections: [1, 5] tags: [capabilities, mitre-attack, automated-analysis] - id: yara name: "yara" aliases: ["yara-rules"] description: "Pattern matching tool for identifying and classifying malware using custom rules" category: yara-detection platform: both in_remnux: true labs: ["3.4"] typical_usage: - "yara-rules specimen.bin" - "yara rule.yar specimen.exe" for610_sections: [3] tags: [pattern-matching, classification, rules] - id: 1768-py name: "1768.py" aliases: [] description: "Parse Cobalt Strike beacon configuration from shellcode or memory dumps" category: yara-detection platform: linux in_remnux: true author: "Didier Stevens" labs: ["3.4"] typical_usage: - "1768.py shellcode.bin" for610_sections: [3] tags: [cobalt-strike, beacon, c2-config, didier-stevens] # ============================================================ # ANTI-ANALYSIS BYPASS # ============================================================ - id: scyllahide name: "ScyllaHide" aliases: [] description: "x64dbg/x32dbg plugin to hide debugger presence from anti-debugging checks" category: anti-analysis platform: windows in_remnux: false labs: ["5.3", "5.6"] typical_usage: - "Plugins > ScyllaHide > Options > Enable all" for610_sections: [5] tags: [anti-debugging, debugger-hiding, x64dbg-plugin] - id: xanalyzer name: "xAnalyzer" aliases: [] description: "x32dbg plugin providing extended analysis — API parameter names and types in disassembly" category: anti-analysis platform: windows in_remnux: false labs: ["5.10"] typical_usage: - "Plugins > xAnalyzer" for610_sections: [5] tags: [x32dbg-plugin, analysis-enhancement] # ============================================================ # ONLINE ANALYSIS PLATFORMS # ============================================================ - id: virustotal name: "VirusTotal" aliases: ["VT"] description: "Multi-engine antivirus scanning, behavioral analysis, and threat intelligence" category: online-platforms platform: online in_remnux: false labs: [] typical_usage: - "https://virustotal.com" for610_sections: [1] tags: [scanning, multi-engine, threat-intel] - id: hybrid-analysis name: "Hybrid Analysis" aliases: [] description: "CrowdStrike automated sandbox for malware detonation and behavioral reporting" category: online-platforms platform: online in_remnux: false labs: [] typical_usage: - "https://hybrid-analysis.com" for610_sections: [1] tags: [sandbox, behavioral, crowdstrike] - id: any-run name: "Any.run" aliases: [] description: "Interactive online malware analysis sandbox with real-time process monitoring" category: online-platforms platform: online in_remnux: false labs: [] typical_usage: - "https://any.run" for610_sections: [1] tags: [sandbox, interactive, real-time] - id: cape-sandbox name: "CAPE Sandbox" aliases: ["CAPE"] description: "Automated malware analysis sandbox with payload extraction and config dumping" category: online-platforms platform: online in_remnux: false labs: [] typical_usage: - "https://capesandbox.com" for610_sections: [1] tags: [sandbox, automated, payload-extraction] - id: malwarebazaar name: "MalwareBazaar" aliases: [] description: "Malware sample sharing platform by abuse.ch" category: online-platforms platform: online in_remnux: false labs: [] typical_usage: - "https://bazaar.abuse.ch" for610_sections: [1] tags: [sample-sharing, repository] - id: intezer-analyze name: "Intezer Analyze" aliases: [] description: "Automated code analysis platform for malware classification using code reuse detection" category: online-platforms platform: online in_remnux: false labs: [] typical_usage: - "https://analyze.intezer.com" for610_sections: [1] tags: [code-reuse, classification, automated] - id: filescan-io name: "FileScan.IO" aliases: [] description: "Online malware analysis sandbox with multi-format support" category: online-platforms platform: online in_remnux: false labs: [] typical_usage: - "https://filescan.io" for610_sections: [1] tags: [sandbox, online] - id: urlscan-io name: "urlscan.io" aliases: [] description: "Website and URL investigation service — screenshots, DOM analysis, network requests" category: online-platforms platform: online in_remnux: false labs: [] typical_usage: - "https://urlscan.io" for610_sections: [1] tags: [url-analysis, website-investigation] - id: shodan name: "Shodan" aliases: [] description: "Search engine for internet-connected devices and exposed services" category: online-platforms platform: online in_remnux: false labs: [] typical_usage: - "https://shodan.io" for610_sections: [1] tags: [infrastructure, reconnaissance] - id: otx name: "Open Threat Exchange" aliases: ["OTX", "LevelBlue Labs"] description: "Threat intelligence sharing platform for indicators of compromise" category: online-platforms platform: online in_remnux: false labs: [] typical_usage: - "https://otx.alienvault.com" for610_sections: [1] tags: [threat-intel, ioc-sharing] - id: threatfox name: "ThreatFox" aliases: [] description: "Threat intelligence platform for sharing IOCs associated with malware" category: online-platforms platform: online in_remnux: false labs: [] typical_usage: - "https://threatfox.abuse.ch" for610_sections: [1] tags: [threat-intel, ioc-sharing, abuse-ch] - id: securitytrails name: "SecurityTrails" aliases: [] description: "Historical DNS records and IP/domain intelligence" category: online-platforms platform: online in_remnux: false labs: [] typical_usage: - "https://securitytrails.com" for610_sections: [1] tags: [dns-history, domain-intel] - id: unpacme name: "UnpacMe" aliases: [] description: "Automated online malware unpacking service" category: online-platforms platform: online in_remnux: false labs: [] typical_usage: - "https://www.unpac.me" for610_sections: [4] tags: [unpacking, automated, online] # ============================================================ # VIRTUALIZATION # ============================================================ - id: vmware-workstation name: "VMware Workstation Pro" aliases: ["VMware"] description: "Desktop hypervisor for running isolated analysis VMs with snapshots and host-only networking" category: virtualization platform: both in_remnux: false labs: [] typical_usage: - "vmware" for610_sections: [1] tags: [hypervisor, vm, isolation] - id: vmware-fusion name: "VMware Fusion" aliases: [] description: "macOS hypervisor for running analysis virtual machines" category: virtualization platform: both in_remnux: false labs: [] typical_usage: - "VMware Fusion.app" for610_sections: [1] tags: [hypervisor, macos] - id: virtualbox name: "VirtualBox" aliases: [] description: "Open-source hypervisor for running analysis virtual machines" category: virtualization platform: both in_remnux: false labs: [] typical_usage: - "VirtualBox" for610_sections: [1] tags: [hypervisor, open-source] # ============================================================ # UTILITIES # ============================================================ - id: visual-studio-code name: "Visual Studio Code" aliases: ["code", "VS Code"] description: "Code editor used for viewing decompiled output, scripts, and analysis results" category: utilities platform: both in_remnux: true labs: ["1.3", "1.4", "1.5", "3.3", "3.6", "3.7", "4.5", "4.8", "5.2", "5.3"] typical_usage: - "code filename.js" for610_sections: [1, 3, 4, 5] tags: [editor, code-viewer] - id: notepadpp name: "Notepad++" aliases: [] description: "Advanced Windows text editor with syntax highlighting for script analysis" category: utilities platform: windows in_remnux: false labs: ["3.6", "3.8", "3.9", "3.10", "3.11", "3.12", "4.5"] typical_usage: - "notepad++ script.ps1" for610_sections: [3, 4] tags: [editor, windows] - id: jq name: "jq" aliases: [] description: "Command-line JSON processor for extracting and transforming structured data" category: utilities platform: linux in_remnux: true labs: ["1.4"] typical_usage: - "cat report.json | jq '.apis'" - "jq -r '.entry' report.json" for610_sections: [1] tags: [json, data-processing] - id: feh name: "feh" aliases: [] description: "Lightweight image viewer for viewing extracted images from documents" category: utilities platform: linux in_remnux: true labs: ["3.1"] typical_usage: - "feh extracted_image.jpg" for610_sections: [3] tags: [image-viewer] - id: winscp name: "WinSCP" aliases: [] description: "Windows SCP/SFTP client for transferring files between Windows and Linux VMs" category: utilities platform: windows in_remnux: false labs: ["4.5"] typical_usage: - "WinSCP.exe" for610_sections: [4] tags: [file-transfer, scp] - id: wine name: "Wine" aliases: [] description: "Windows compatibility layer — run Windows executables on Linux" category: utilities platform: linux in_remnux: true labs: ["3.5"] typical_usage: - "wine program.exe" for610_sections: [3] tags: [windows-compat, execution] - id: unzip name: "unzip" aliases: [] description: "Extract ZIP archives containing malware samples" category: utilities platform: linux in_remnux: true labs: ["1.1", "3.1", "3.3", "3.4", "3.5", "3.6", "3.7", "4.1", "4.8", "5.2", "5.3", "5.4"] typical_usage: - "unzip -P infected sample.zip" for610_sections: [1, 3, 4, 5] tags: [archive, extraction] - id: gunzip name: "gunzip" aliases: [] description: "Decompress gzip-compressed data (often used in multi-stage payload extraction)" category: utilities platform: linux in_remnux: true labs: ["3.4"] typical_usage: - "gunzip -c compressed.gz > output.bin" for610_sections: [3] tags: [compression, extraction] - id: rar name: "rar" aliases: ["unrar"] description: "Extract RAR archives (including self-extracting RAR payloads)" category: utilities platform: both in_remnux: true labs: ["3.5"] typical_usage: - "rar x archive.rar" for610_sections: [3] tags: [archive, extraction] - id: hexdump name: "hexdump" aliases: [] description: "Display file content in hexadecimal format" category: utilities platform: linux in_remnux: true labs: [] typical_usage: - "hexdump -C binary.dat" for610_sections: [1] tags: [hex, binary-viewing] - id: xxd name: "xxd" aliases: [] description: "Create hex dump of a file or reverse a hex dump back to binary" category: utilities platform: linux in_remnux: true labs: [] typical_usage: - "xxd binary.exe" - "xxd -r hexdump.txt > binary.exe" for610_sections: [1] tags: [hex, binary-conversion] - id: binwalk name: "binwalk" aliases: [] description: "Analyze and extract embedded files and firmware images" category: utilities platform: linux in_remnux: true labs: [] typical_usage: - "binwalk firmware.bin" - "binwalk -e firmware.bin" for610_sections: [1] tags: [firmware, extraction, embedded-files] - id: wget name: "wget" aliases: [] description: "Download files from HTTP/HTTPS/FTP servers" category: utilities platform: linux in_remnux: true labs: [] typical_usage: - "wget http://example.com/file.bin" for610_sections: [1] tags: [download, http] - id: curl name: "curl" aliases: [] description: "Transfer data to/from servers using various protocols" category: utilities platform: linux in_remnux: true labs: [] typical_usage: - "curl -L http://example.com" - "curl -o output.bin http://example.com/file" for610_sections: [1] tags: [download, http, transfer] - id: reg-export name: "reg_export" aliases: [] description: "Extract registry key values to files — used to recover malware artifacts stored in registry" category: utilities platform: windows in_remnux: false author: "Adam Kramer" labs: ["4.5"] typical_usage: - "reg_export HKCU\\software\\keyname valuename output.js" for610_sections: [4] tags: [registry, extraction, windows] - id: regedit name: "Regedit" aliases: [] description: "Windows Registry Editor for browsing and modifying registry keys" category: utilities platform: windows in_remnux: false labs: ["4.5"] typical_usage: - "regedit.exe" for610_sections: [4] tags: [registry, windows]