# FOR610 Tools Cheat Sheet

## Static Analysis

| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **PeStudio** | Windows | Examine PE properties, imports, strings, sections, entropy. Highlights malicious indicators automatically | S1 p.46 |
| **peframe** | REMnux | REMnux alternative to PeStudio — extracts PE properties, detects anomalies | S1 p.48 |
| **pestr** | REMnux | Extract ASCII and Unicode strings from PE files in one shot (part of Pev toolkit) | S1 p.44 |
| **strings** | REMnux | Extract ASCII strings from any binary. Use `--encoding=l` for Unicode | S1 p.44 |
| **Detect It Easy (diec)** | Both | Identify packers, compilers, and build tools used to create executables | S1 p.49 |
| **ExeInfo PE** | Windows | Similar to DIE — identifies tools/packers, can "rip" (carve) embedded artifacts | S1 p.49 |
| **CFF Explorer** | Windows | View/edit PE headers, disable DynamicBase (ASLR) flag | S4 p.22 |
| **capa** | REMnux | Detect malware capabilities mapped to MITRE ATT&CK and MBC frameworks | S1 p.88 |
| **FLOSS** | REMnux | Automatically extract obfuscated strings (static + stack + decoded) | S5 p.28 |
| **file** | REMnux | Identify file type using magic bytes | S3 |
| **trid** | REMnux | Identify file type using signature database | S3 |
| **exiftool** | REMnux | Extract metadata from files (author, timestamps, etc.) | S1 |

## Document Analysis

| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **pdfid.py** | REMnux | Scan PDF for suspicious keywords (/JavaScript, /OpenAction, /Launch, /URI) | S3 p.10 |
| **pdf-parser.py** | REMnux | Parse PDF structure, locate objects, extract content, search strings, dump objects | S3 p.11 |
| **peepdf** | REMnux | Interactive PDF analysis framework with JavaScript detection | S3 |
| **oledump.py** | REMnux | Examine OLE2 files — list streams (M=macro), extract VBA with `-s <n> -v` | S3 p.37 |
| **olevba** | REMnux | Extract and deobfuscate VBA macros, detect auto-execute triggers | S3 |
| **rtfdump.py** | REMnux | Analyze RTF structure — find hex-encoded groups at deep nesting levels | S3 |
| **base64dump.py** | REMnux | Find, extract, and decode Base64 strings. `-n 10` shows top hits, `-s <n> -d` decodes | S3 p.46 |
| **numbers-to-string.py** | REMnux | Convert decimal number sequences (from VBA Chr() calls) to readable text | S3 p.40 |
| **translate.py** | REMnux | Transform bytes with Python expressions: `translate.py "byte ^ 35"` for XOR | S3 p.55 |

## Network Interception

| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **Wireshark** | Windows | Network sniffer — capture packets, follow TCP streams, extract payloads | S1 p.52 |
| **fakedns** | REMnux | Fake DNS server — resolves ALL queries to REMnux IP | S1 p.71 |
| **INetSim** | REMnux | Emulate internet services: HTTP, HTTPS, DNS, FTP, SMTP, IRC | S1 p.123 |
| **Fiddler** | Windows | HTTP/HTTPS debugging proxy — intercept, inspect, modify web traffic | S3 p.127 |
| **httpd** | REMnux | Simple web server (nginx) for simulating C2 | S1 p.79 |
| **iptables** | REMnux | Redirect IP-based traffic: `iptables -t nat -A PREROUTING -i eth0 -j REDIRECT` | S1 |

## Emulation & Shellcode

| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **speakeasy** | REMnux | Emulate Windows API calls without executing. `-t <sample> -o report.json` | S1 p.85 |
| **scdbgc** | Both | Shellcode emulator — `/f sc.bin /s -1` for API trace, `/foff` for offset | S3 p.57 |
| **runsc32** | Windows | Execute shellcode for dynamic analysis with debugger attachment | S3 p.73 |
| **box-js** | REMnux | Node.js sandbox for JavaScript analysis with WScript emulation | S3 p.95 |
| **SpiderMonkey** | REMnux | Mozilla JS engine: `js -f /usr/share/remnux/objects.js -f <script>` | S3 p.84 |

## Code Analysis & Debugging

| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **Ghidra** | Both | NSA disassembler/decompiler — function graphs, symbol trees, scripting | S2 |
| **x64dbg** | Windows | 64-bit debugger — breakpoints, memory inspection, patching | S1 p.92 |
| **x32dbg** | Windows | 32-bit debugger — same as x64dbg for 32-bit binaries | S3-S5 |
| **IDA** | Multi | Commercial disassembler with built-in debugger (freeware version available) | S2 p.81 |
| **Binary Ninja** | Multi | Commercial disassembler, strong for automated analysis | S2 p.81 |
| **Cutter** | REMnux | Open-source GUI for radare2 | S2 p.81 |

## Unpacking

| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **UPX** | Both | Unpack UPX-packed files: `upx -d packed.exe` (fails if modified) | S4 p.40 |
| **Scylla** | Windows | Dump process from memory + fix IAT (Import Address Table) | S4 |
| **OllyDumpEx** | Windows | x64dbg/x32dbg plugin for memory dumping at OEP | S4 |
| **ScyllaHide** | Windows | x64dbg plugin to hide debugger from anti-debug checks | S5 p.33 |
| **pe_unmapper** | Windows | Convert virtual-aligned dump to raw alignment (by Hasherezade) | S5 p.38 |
| **setdllcharacteristics** | Windows | Disable ASLR: `setdllcharacteristics -d <file>` (by Didier Stevens) | S4 p.22 |

## .NET Analysis

| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **ILSpy** | Windows | .NET decompiler — view C#/VB.NET source from compiled assemblies | S3 p.34 |
| **ilspycmd** | REMnux | Command-line ILSpy: `ilspycmd <assembly> > source.cs` | S4 |
| **dnSpyEx** | Windows | .NET debugger + decompiler — breakpoints on Assembly.Load | S3 p.34 |
| **de4dot** | Windows | .NET deobfuscator — removes ConfuserEx, Eziriz, etc. | S4 p.33 |

## String Deobfuscation

| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **XORSearch** | REMnux | Find XOR-encoded shellcode/strings: `-W` for shellcode patterns, `-d 3` skip ROT | S3 p.70 |
| **brxor.py** | REMnux | Brute-force single-byte XOR — looks for English words in decoded output | S5 p.22 |
| **bbcrack** | REMnux | Detect XOR, ROL, ADD obfuscation: `bbcrack -l 1 <file>` | S5 p.23 |
| **strdeob.pl** | REMnux | Decode stack-built strings (MOV byte-by-byte patterns) | S5 p.28 |
| **CyberChef** | Both | Visual multi-step decoding (Base64, XOR, hex, decompress). By GCHQ | S1 p.107 |
| **1768.py** | REMnux | Parse Cobalt Strike beacon configuration from shellcode | S3 p.58 |

## Behavioral Analysis

| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **System Informer** | Windows | Process monitor — replaces Task Manager. Shows processes, handles, network | S1 p.52 |
| **Process Monitor** | Windows | Records file system, registry, and process/thread activity in real time | S1 p.52 |
| **Regshot** | Windows | Compare registry/filesystem state before and after infection | S1 p.52 |
| **ProcDOT** | Windows | Visualize Process Monitor logs as interactive graphs | S1 p.52 |

## PowerShell Analysis

| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **PowerShell ISE** | Windows | Debug PS scripts — set breakpoints on Invoke-Expression to intercept | S3 |
| **logman** | Windows | Enable AMSI tracing: `logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface` | S3 |
| **AMSIScriptContentRetrieval** | Windows | Extract monitored script content from AMSI event trace logs | S3 |

## YARA & Detection

| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **yara / yara-rules** | REMnux | Scan files with community YARA rules for malware families and capabilities | S3 p.58 |
| **1768.py** | REMnux | Cobalt Strike beacon parser (Didier Stevens) | S3 p.58 |
| **capa** | REMnux | Capability detection via MITRE ATT&CK mapping | S1 p.88 |

---

## Key Pipe Chains

```bash
# Extract Base64 PowerShell from Office macro
oledump.py <doc> -s <stream> -d | base64dump.py -s 1 -d > payload.ps1

# VBA number array → readable text
oledump.py <doc> -s <stream> -v | numbers-to-string.py -j

# Multi-stage decode: Base64 → gunzip
base64dump.py <script.ps1> -s 3 -d | gunzip > decoded.ps1

# XOR decode shellcode
base64dump.py <script.ps1> -s 2 -d | translate.py "byte ^ 35" > sc.bin

# RTF shellcode extraction + emulation
rtfdump.py <doc> -s 5 -H -d > sc.bin
scdbgc /f sc.bin /foff 3B /s -1

# JavaScript deobfuscation
js -f /usr/share/remnux/objects.js -f <malicious.js> > decoded.js

# Speakeasy emulation + API extraction
speakeasy -t <sample> -o report.json 2> report.txt
jq '.entry_points[].apis[].api_name' report.json | sort -u

# CAPA capability filtering
capa -vv <sample> | grep -A7 "inject"
```