{ "tools": [ { "id": "pdfid-py", "name": "pdfid.py", "aliases": [ "pdfid" ], "description": "Scan PDF files for suspicious keywords like /JavaScript, /OpenAction, /Launch without parsing", "category": "pdf-analysis", "platform": "linux", "in_remnux": true, "author": "Didier Stevens", "labs": [ "3.1" ], "typical_usage": [ "pdfid.py document.pdf", "pdfid.py -n document.pdf" ], "for610_sections": [ 1, 3 ], "tags": [ "pdf", "static-analysis", "triage", "didier-stevens" ] }, { "id": "pdf-parser-py", "name": "pdf-parser.py", "aliases": [ "pdf-parser" ], "description": "Parse PDF structure, locate objects, extract content, and search for strings", "category": "pdf-analysis", "platform": "linux", "in_remnux": true, "author": "Didier Stevens", "labs": [ "3.1" ], "typical_usage": [ "pdf-parser.py document.pdf -a", "pdf-parser.py document.pdf -s /URI", "pdf-parser.py document.pdf -k /URI", "pdf-parser.py document.pdf -o 6 -d object6.jpg" ], "for610_sections": [ 1, 3 ], "tags": [ "pdf", "static-analysis", "object-extraction", "didier-stevens" ] }, { "id": "peepdf", "name": "peepdf", "aliases": [], "description": "Interactive PDF analysis framework with JavaScript detection and exploitation capabilities", "category": "pdf-analysis", "platform": "linux", "in_remnux": true, "labs": [], "typical_usage": [ "peepdf -i malicious.pdf", "peepdf -f -i malicious.pdf" ], "for610_sections": [ 1 ], "tags": [ "pdf", "interactive", "javascript-detection" ] }, { "id": "pdftool-py", "name": "pdftool.py", "aliases": [], "description": "Analyze PDF incremental updates", "category": "pdf-analysis", "platform": "linux", "in_remnux": true, "author": "Didier Stevens", "labs": [], "typical_usage": [ "pdftool.py document.pdf" ], "for610_sections": [ 1 ], "tags": [ "pdf", "didier-stevens" ] }, { "id": "pdfresurrect", "name": "pdfresurrect", "aliases": [], "description": "Extract and analyze previous versions from PDF files", "category": "pdf-analysis", "platform": "linux", "in_remnux": true, "labs": [], "typical_usage": [ "pdfresurrect document.pdf" ], "for610_sections": [ 1 ], "tags": [ "pdf", "versioning" ] }, { "id": "qpdf", "name": "qpdf", "aliases": [], "description": "Decrypt, linearize, and transform PDF files \u2014 useful for removing password protection", "category": "pdf-analysis", "platform": "linux", "in_remnux": true, "labs": [], "typical_usage": [ "qpdf --decrypt encrypted.pdf output.pdf" ], "for610_sections": [ 3 ], "tags": [ "pdf", "decryption", "transformation" ] }, { "id": "pdftk", "name": "pdftk", "aliases": [], "description": "Manipulate PDF files \u2014 merge, split, flatten, encrypt, and extract embedded content", "category": "pdf-analysis", "platform": "linux", "in_remnux": true, "labs": [], "typical_usage": [ "pdftk input.pdf cat output output.pdf flatten", "pdftk input.pdf unpack_files" ], "for610_sections": [ 3 ], "tags": [ "pdf", "manipulation", "extraction" ] }, { "id": "oledump-py", "name": "oledump.py", "aliases": [ "oledump" ], "description": "Analyze OLE2 files (Office documents), extract streams and VBA macros", "category": "document-analysis", "platform": "linux", "in_remnux": true, "author": "Didier Stevens", "labs": [ "3.3", "3.4", "4.5" ], "typical_usage": [ "oledump.py document.docm", "oledump.py document.docm -s A3 -v", "oledump.py document.docm -i" ], "for610_sections": [ 3, 4 ], "tags": [ "office", "vba", "macro", "ole", "didier-stevens" ] }, { "id": "olevba", "name": "olevba", "aliases": [], "description": "Extract and analyze VBA macros from Office documents with deobfuscation", "category": "document-analysis", "platform": "linux", "in_remnux": true, "labs": [], "typical_usage": [ "olevba document.docm", "olevba --deobf document.docm" ], "for610_sections": [ 3 ], "tags": [ "office", "vba", "macro", "deobfuscation" ] }, { "id": "evilclippy", "name": "evilclippy", "aliases": [], "description": "Remove VBA project password protection and manipulate Office macro settings", "category": "document-analysis", "platform": "both", "in_remnux": true, "labs": [], "typical_usage": [ "evilclippy -uu document.docm" ], "for610_sections": [ 3 ], "tags": [ "office", "vba", "password-removal" ] }, { "id": "rtfdump-py", "name": "rtfdump.py", "aliases": [ "rtfdump" ], "description": "Analyze RTF file structure, identify hex-encoded groups and embedded objects", "category": "document-analysis", "platform": "linux", "in_remnux": true, "author": "Didier Stevens", "labs": [ "3.5" ], "typical_usage": [ "rtfdump.py document.rtf", "rtfdump.py document.rtf -s 5 -H -d > extracted.bin" ], "for610_sections": [ 3 ], "tags": [ "rtf", "document", "didier-stevens" ] }, { "id": "base64dump-py", "name": "base64dump.py", "aliases": [ "base64dump" ], "description": "Extract and decode Base64-encoded strings from files", "category": "document-analysis", "platform": "linux", "in_remnux": true, "author": "Didier Stevens", "labs": [ "3.4", "4.5" ], "typical_usage": [ "base64dump.py file.txt", "base64dump.py file.ps1 -n 10", "base64dump.py file.ps1 -s 2 -d" ], "for610_sections": [ 3, 4 ], "tags": [ "base64", "decoding", "didier-stevens" ] }, { "id": "emldump-py", "name": "emldump.py", "aliases": [ "emldump" ], "description": "Parse and analyze EML email message files", "category": "document-analysis", "platform": "linux", "in_remnux": true, "author": "Didier Stevens", "labs": [], "typical_usage": [ "emldump.py message.eml" ], "for610_sections": [ 3 ], "tags": [ "email", "eml", "didier-stevens" ] }, { "id": "zipdump-py", "name": "zipdump.py", "aliases": [ "zipdump" ], "description": "Parse and analyze ZIP archive structure", "category": "document-analysis", "platform": "linux", "in_remnux": true, "author": "Didier Stevens", "labs": [], "typical_usage": [ "zipdump.py archive.zip" ], "for610_sections": [ 3 ], "tags": [ "zip", "archive", "didier-stevens" ] }, { "id": "numbers-to-string-py", "name": "numbers-to-string.py", "aliases": [], "description": "Convert sequences of decimal numbers to readable characters", "category": "document-analysis", "platform": "linux", "in_remnux": true, "author": "Didier Stevens", "labs": [ "3.3" ], "typical_usage": [ "oledump.py doc.docm -s A3 -v | numbers-to-string.py -j" ], "for610_sections": [ 3 ], "tags": [ "decoding", "deobfuscation", "didier-stevens" ] }, { "id": "translate-py", "name": "translate.py", "aliases": [], "description": "Transform data using Python expressions (XOR, ADD, etc.)", "category": "document-analysis", "platform": "linux", "in_remnux": true, "author": "Didier Stevens", "labs": [ "3.4" ], "typical_usage": [ "translate.py \"byte ^ 35\" < input.bin > output.bin" ], "for610_sections": [ 3 ], "tags": [ "xor", "transformation", "decoding", "didier-stevens" ] }, { "id": "pestudio", "name": "PeStudio", "aliases": [], "description": "GUI tool for examining static properties of PE files \u2014 imports, strings, sections, entropy, indicators", "category": "static-analysis-pe", "platform": "windows", "in_remnux": false, "labs": [ "1.1", "1.5", "2.7", "3.10", "3.12", "4.1", "4.2", "4.3", "4.7", "4.8", "5.3", "5.4", "5.8", "5.9", "5.10" ], "typical_usage": [ "pestudio.exe specimen.exe" ], "for610_sections": [ 1, 2, 3, 4, 5 ], "tags": [ "pe", "static-analysis", "imports", "strings", "entropy", "triage" ] }, { "id": "peframe", "name": "peframe", "aliases": [], "description": "Static analysis of PE files \u2014 extract properties, detect anomalies, identify packers", "category": "static-analysis-pe", "platform": "linux", "in_remnux": true, "labs": [ "1.1", "4.8" ], "typical_usage": [ "peframe specimen.exe" ], "for610_sections": [ 1, 4 ], "tags": [ "pe", "static-analysis", "triage" ] }, { "id": "pestr", "name": "pestr", "aliases": [], "description": "Extract ASCII and Unicode strings from PE files", "category": "static-analysis-pe", "platform": "linux", "in_remnux": true, "labs": [ "1.1", "4.8" ], "typical_usage": [ "pestr specimen.exe" ], "for610_sections": [ 1, 4 ], "tags": [ "pe", "strings", "static-analysis" ] }, { "id": "strings", "name": "strings", "aliases": [], "description": "Extract printable ASCII and Unicode strings from binary files", "category": "static-analysis-pe", "platform": "linux", "in_remnux": true, "labs": [ "3.4", "5.2" ], "typical_usage": [ "strings binary.exe", "strings -n 10 binary.exe", "strings --encoding=l binary.exe" ], "for610_sections": [ 1, 3 ], "tags": [ "strings", "static-analysis", "triage" ] }, { "id": "bytehist", "name": "Bytehist", "aliases": [], "description": "Generate byte-usage histograms to visually identify packed or encrypted sections in binaries", "category": "static-analysis-pe", "platform": "both", "in_remnux": true, "labs": [], "typical_usage": [ "bytehist specimen.exe" ], "for610_sections": [ 1, 4 ], "tags": [ "pe", "entropy", "packing-detection", "histogram" ] }, { "id": "diec", "name": "diec", "aliases": [ "Detect It Easy", "DIE" ], "description": "Detect packers, compilers, and tools used to create executables", "category": "static-analysis-pe", "platform": "both", "in_remnux": true, "labs": [ "4.1" ], "typical_usage": [ "diec specimen.exe" ], "for610_sections": [ 1, 4 ], "tags": [ "pe", "packer-detection", "compiler-detection" ] }, { "id": "exeinfo-pe", "name": "ExeInfo PE", "aliases": [ "ExeInfoPE", "ExeInfo" ], "description": "Identify tools and packers used to create PE executables", "category": "static-analysis-pe", "platform": "windows", "in_remnux": false, "labs": [ "3.12" ], "typical_usage": [ "ExeInfoPE.exe specimen.exe" ], "for610_sections": [ 1, 3 ], "tags": [ "pe", "packer-detection" ] }, { "id": "cff-explorer", "name": "CFF Explorer", "aliases": [], "description": "View and edit PE file headers, sections, imports, and resources", "category": "static-analysis-pe", "platform": "windows", "in_remnux": false, "labs": [], "typical_usage": [ "CFF Explorer specimen.exe" ], "for610_sections": [ 1 ], "tags": [ "pe", "header-editing", "resources" ] }, { "id": "file", "name": "file", "aliases": [], "description": "Determine file type and MIME type using magic bytes", "category": "static-analysis-pe", "platform": "linux", "in_remnux": true, "labs": [ "3.4", "3.5" ], "typical_usage": [ "file specimen.exe", "file document.doc" ], "for610_sections": [ 3 ], "tags": [ "file-identification", "triage" ] }, { "id": "trid", "name": "trid", "aliases": [], "description": "Identify file type by scanning binary signatures database", "category": "static-analysis-pe", "platform": "linux", "in_remnux": true, "labs": [ "3.3", "3.4" ], "typical_usage": [ "trid document.doc" ], "for610_sections": [ 3 ], "tags": [ "file-identification", "triage" ] }, { "id": "exiftool", "name": "exiftool", "aliases": [], "description": "Extract metadata from files (PDF, images, documents, executables)", "category": "static-analysis-pe", "platform": "linux", "in_remnux": true, "labs": [], "typical_usage": [ "exiftool document.pdf", "exiftool specimen.exe" ], "for610_sections": [ 1 ], "tags": [ "metadata", "triage" ] }, { "id": "system-informer", "name": "System Informer", "aliases": [ "Process Hacker" ], "description": "Monitor processes, network connections, handles, and system resources in real time", "category": "behavioral-analysis", "platform": "windows", "in_remnux": false, "labs": [ "1.2", "1.3", "1.6", "1.7", "1.8", "4.2", "4.5", "5.1" ], "typical_usage": [ "SystemInformer.exe" ], "for610_sections": [ 1, 4, 5 ], "tags": [ "process-monitoring", "handles", "network", "real-time" ] }, { "id": "process-monitor", "name": "Process Monitor", "aliases": [ "ProcMon", "procmon" ], "description": "Record file system, registry, process, and thread activity in real time", "category": "behavioral-analysis", "platform": "windows", "in_remnux": false, "labs": [ "1.2", "4.5" ], "typical_usage": [ "Procmon.exe" ], "for610_sections": [ 1, 4 ], "tags": [ "filesystem", "registry", "process-monitoring", "real-time" ] }, { "id": "regshot", "name": "Regshot", "aliases": [], "description": "Take and compare registry/filesystem snapshots before and after infection", "category": "behavioral-analysis", "platform": "windows", "in_remnux": false, "labs": [ "1.2" ], "typical_usage": [ "Regshot-x64-Unicode.exe" ], "for610_sections": [ 1 ], "tags": [ "registry", "filesystem", "snapshot", "comparison" ] }, { "id": "procdot", "name": "ProcDOT", "aliases": [], "description": "Visualize Process Monitor logs as interactive graphs for behavioral analysis", "category": "behavioral-analysis", "platform": "both", "in_remnux": true, "labs": [ "1.2", "4.5" ], "typical_usage": [ "procdot" ], "for610_sections": [ 1, 4 ], "tags": [ "visualization", "process-monitor", "behavioral" ] }, { "id": "autoruns", "name": "Autoruns", "aliases": [], "description": "View and manage all autostart locations \u2014 startup programs, services, drivers, scheduled tasks", "category": "behavioral-analysis", "platform": "windows", "in_remnux": false, "labs": [], "typical_usage": [ "Autoruns.exe" ], "for610_sections": [ 1 ], "tags": [ "persistence", "autostart", "startup" ] }, { "id": "api-monitor", "name": "API Monitor", "aliases": [], "description": "Monitor and record API calls made by processes", "category": "behavioral-analysis", "platform": "windows", "in_remnux": false, "labs": [], "typical_usage": [ "apimonitor-x64.exe" ], "for610_sections": [ 1 ], "tags": [ "api-calls", "monitoring", "dynamic-analysis" ] }, { "id": "tcplogview", "name": "TcpLogView", "aliases": [], "description": "Log opened and closed TCP connections with process information", "category": "behavioral-analysis", "platform": "windows", "in_remnux": false, "labs": [], "typical_usage": [ "TcpLogView.exe" ], "for610_sections": [ 1 ], "tags": [ "network", "tcp", "connection-logging" ] }, { "id": "wireshark", "name": "Wireshark", "aliases": [], "description": "GUI network protocol analyzer for capturing and inspecting packet-level traffic", "category": "network-analysis", "platform": "both", "in_remnux": true, "labs": [ "1.2", "1.3", "1.6", "1.7", "1.8", "5.1" ], "typical_usage": [ "wireshark", "wireshark -r capture.pcap" ], "for610_sections": [ 1, 5 ], "tags": [ "packet-capture", "protocol-analysis", "network" ] }, { "id": "tshark", "name": "tshark", "aliases": [], "description": "Command-line interface to Wireshark for packet capture and analysis", "category": "network-analysis", "platform": "both", "in_remnux": true, "labs": [], "typical_usage": [ "tshark -r capture.pcap", "tshark -i eth0 -w capture.pcap" ], "for610_sections": [ 1 ], "tags": [ "packet-capture", "cli", "network" ] }, { "id": "tcpdump", "name": "tcpdump", "aliases": [], "description": "Command-line packet capture tool", "category": "network-analysis", "platform": "linux", "in_remnux": true, "labs": [], "typical_usage": [ "tcpdump -i eth0 -w capture.pcap", "tcpdump -r capture.pcap" ], "for610_sections": [ 1 ], "tags": [ "packet-capture", "cli", "network" ] }, { "id": "fiddler", "name": "Fiddler", "aliases": [], "description": "HTTP/HTTPS debugging proxy for intercepting, inspecting, and modifying web traffic", "category": "network-analysis", "platform": "windows", "in_remnux": false, "labs": [ "3.2", "3.8", "3.9", "3.10", "3.11", "3.12", "4.5" ], "typical_usage": [ "Fiddler.exe" ], "for610_sections": [ 3, 4 ], "tags": [ "http", "https", "proxy", "web-traffic" ] }, { "id": "fakedns", "name": "fakedns", "aliases": [], "description": "Fake DNS server that resolves all queries to a specified IP for traffic interception", "category": "network-analysis", "platform": "linux", "in_remnux": true, "labs": [ "1.3", "1.6", "1.7", "1.8" ], "typical_usage": [ "fakedns" ], "for610_sections": [ 1 ], "tags": [ "dns", "spoofing", "interception", "lab-setup" ] }, { "id": "inetsim", "name": "INetSim", "aliases": [], "description": "Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for malware analysis in isolated labs", "category": "network-analysis", "platform": "linux", "in_remnux": true, "labs": [ "1.7" ], "typical_usage": [ "inetsim" ], "for610_sections": [ 1 ], "tags": [ "service-emulation", "network-simulation", "lab-setup" ] }, { "id": "httpd", "name": "httpd", "aliases": [ "accept-all-ips" ], "description": "Simple HTTP server on REMnux for simulating C2 web servers", "category": "network-analysis", "platform": "linux", "in_remnux": true, "labs": [ "1.3", "1.6", "1.8" ], "typical_usage": [ "httpd" ], "for610_sections": [ 1 ], "tags": [ "http", "web-server", "c2-simulation", "lab-setup" ] }, { "id": "iptables", "name": "iptables", "aliases": [], "description": "Linux firewall and NAT tool for redirecting IP-based malware traffic", "category": "network-analysis", "platform": "linux", "in_remnux": true, "labs": [ "1.8" ], "typical_usage": [ "iptables -t nat -A PREROUTING -i ens32 -j REDIRECT" ], "for610_sections": [ 1 ], "tags": [ "firewall", "nat", "traffic-redirection" ] }, { "id": "netcat", "name": "nc", "aliases": [ "netcat" ], "description": "Network utility for reading/writing data across TCP/UDP connections", "category": "network-analysis", "platform": "both", "in_remnux": true, "labs": [], "typical_usage": [ "nc -l -p 3127", "nc target_ip 80" ], "for610_sections": [ 1 ], "tags": [ "network", "tcp", "listener" ] }, { "id": "nslookup", "name": "nslookup", "aliases": [], "description": "DNS query tool for testing name resolution", "category": "network-analysis", "platform": "both", "in_remnux": true, "labs": [ "1.3" ], "typical_usage": [ "nslookup domain.com" ], "for610_sections": [ 1 ], "tags": [ "dns", "testing" ] }, { "id": "thug", "name": "Thug", "aliases": [], "description": "Low-interaction honeyclient for analyzing malicious websites and drive-by downloads", "category": "network-analysis", "platform": "linux", "in_remnux": true, "labs": [], "typical_usage": [ "thug -u win7chrome49 http://suspicious-site.com" ], "for610_sections": [ 3 ], "tags": [ "honeyclient", "web-analysis", "drive-by" ] }, { "id": "burp-suite", "name": "Burp Suite", "aliases": [ "Burp" ], "description": "Web application security proxy for intercepting and modifying HTTP/HTTPS traffic", "category": "network-analysis", "platform": "both", "in_remnux": false, "labs": [], "typical_usage": [ "burpsuite" ], "for610_sections": [ 3 ], "tags": [ "http", "https", "proxy", "web-security" ] }, { "id": "torsocks", "name": "torsocks", "aliases": [], "description": "Route network traffic through the Tor anonymity network", "category": "network-analysis", "platform": "linux", "in_remnux": true, "labs": [], "typical_usage": [ "torsocks curl http://example.onion" ], "for610_sections": [ 1 ], "tags": [ "tor", "anonymity", "network-routing" ] }, { "id": "ghidra", "name": "Ghidra", "aliases": [], "description": "Open-source disassembler and decompiler from NSA with scripting, function graphs, and data type management", "category": "code-analysis", "platform": "both", "in_remnux": true, "labs": [ "2.1", "2.2", "2.3", "2.4", "2.5", "2.6", "2.7", "2.8", "4.9", "5.2", "5.4", "5.5", "5.6", "5.7", "5.9" ], "typical_usage": [ "ghidra" ], "for610_sections": [ 2, 4, 5 ], "tags": [ "disassembly", "decompilation", "code-analysis", "function-graph" ] }, { "id": "ida", "name": "IDA", "aliases": [ "IDA Pro", "IDA Freeware" ], "description": "Commercial interactive disassembler and debugger from Hex-Rays", "category": "code-analysis", "platform": "both", "in_remnux": false, "labs": [], "typical_usage": [ "ida64.exe specimen.exe" ], "for610_sections": [ 2 ], "tags": [ "disassembly", "decompilation", "commercial" ] }, { "id": "binary-ninja", "name": "Binary Ninja", "aliases": [], "description": "Commercial disassembler with strong automated analysis and scripting", "category": "code-analysis", "platform": "both", "in_remnux": false, "labs": [], "typical_usage": [ "binaryninja specimen.exe" ], "for610_sections": [ 2 ], "tags": [ "disassembly", "commercial" ] }, { "id": "cutter", "name": "Cutter", "aliases": [], "description": "Open-source reverse engineering platform \u2014 Qt-based GUI for radare2", "category": "code-analysis", "platform": "both", "in_remnux": true, "labs": [], "typical_usage": [ "cutter specimen.exe" ], "for610_sections": [ 2 ], "tags": [ "disassembly", "radare2", "open-source" ] }, { "id": "radare2", "name": "radare2", "aliases": [ "r2" ], "description": "Open-source reverse engineering command-line framework", "category": "code-analysis", "platform": "both", "in_remnux": true, "labs": [], "typical_usage": [ "r2 specimen.exe" ], "for610_sections": [ 2 ], "tags": [ "disassembly", "cli", "open-source" ] }, { "id": "x64dbg", "name": "x64dbg", "aliases": [], "description": "Open-source 64-bit debugger for dynamic malware analysis \u2014 breakpoints, memory inspection, patching", "category": "debugging", "platform": "windows", "in_remnux": false, "labs": [ "1.5", "4.3", "4.4", "5.1" ], "typical_usage": [ "x64dbg.exe specimen.exe" ], "for610_sections": [ 1, 4, 5 ], "tags": [ "debugger", "64-bit", "dynamic-analysis", "breakpoints" ] }, { "id": "x32dbg", "name": "x32dbg", "aliases": [], "description": "Open-source 32-bit debugger for dynamic malware analysis \u2014 breakpoints, memory inspection, patching", "category": "debugging", "platform": "windows", "in_remnux": false, "labs": [ "3.5", "3.10", "4.6", "4.7", "5.3", "5.4", "5.5", "5.6", "5.7", "5.8", "5.9", "5.10" ], "typical_usage": [ "x32dbg.exe specimen.exe" ], "for610_sections": [ 3, 4, 5 ], "tags": [ "debugger", "32-bit", "dynamic-analysis", "breakpoints" ] }, { "id": "ollydbg", "name": "OllyDbg", "aliases": [], "description": "Classic 32-bit debugger for Windows (legacy, predecessor to x32dbg)", "category": "debugging", "platform": "windows", "in_remnux": false, "labs": [], "typical_usage": [ "ollydbg.exe specimen.exe" ], "for610_sections": [ 4, 5 ], "tags": [ "debugger", "32-bit", "legacy" ] }, { "id": "windbg", "name": "WinDbg", "aliases": [], "description": "Microsoft Windows debugger for kernel and user-mode debugging", "category": "debugging", "platform": "windows", "in_remnux": false, "labs": [], "typical_usage": [ "windbg.exe specimen.exe" ], "for610_sections": [ 2 ], "tags": [ "debugger", "kernel", "microsoft" ] }, { "id": "speakeasy", "name": "speakeasy", "aliases": [], "description": "Windows binary emulator \u2014 emulates API calls to analyze malware behavior without native execution", "category": "emulation", "platform": "linux", "in_remnux": true, "labs": [ "1.4" ], "typical_usage": [ "speakeasy -t specimen.exe -o report.json 2> report.txt", "speakeasy -t shellcode.bin -r -a x86" ], "for610_sections": [ 1 ], "tags": [ "emulation", "api-calls", "behavioral-analysis" ] }, { "id": "scdbgc", "name": "scdbgc", "aliases": [ "scdbg" ], "description": "Shellcode emulator \u2014 analyze shellcode behavior through API-level emulation", "category": "emulation", "platform": "both", "in_remnux": true, "labs": [ "3.4", "3.5", "4.6" ], "typical_usage": [ "scdbgc /f shellcode.bin /s -1", "scdbgc /f shellcode.bin /foff 0x3B /fopen qa.doc", "scdbgc /f shellcode.bin /s -1 /norw" ], "for610_sections": [ 3, 4 ], "tags": [ "shellcode", "emulation", "api-calls" ] }, { "id": "runsc32", "name": "runsc32", "aliases": [ "runsc" ], "description": "Execute extracted shellcode for dynamic analysis", "category": "emulation", "platform": "windows", "in_remnux": false, "labs": [ "3.5", "4.6" ], "typical_usage": [ "runsc32 -f shellcode.bin -o 0x3B -d qa.doc" ], "for610_sections": [ 3, 4 ], "tags": [ "shellcode", "execution", "dynamic-analysis" ] }, { "id": "box-js", "name": "box-js", "aliases": [], "description": "JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript APIs", "category": "emulation", "platform": "linux", "in_remnux": true, "labs": [], "typical_usage": [ "box-js --output-dir=/tmp suspicious.js" ], "for610_sections": [ 3 ], "tags": [ "javascript", "sandbox", "emulation" ] }, { "id": "upx", "name": "UPX", "aliases": [ "upx" ], "description": "Universal Packer for eXecutables \u2014 compress and decompress PE files", "category": "unpacking", "platform": "both", "in_remnux": true, "labs": [ "4.2" ], "typical_usage": [ "upx -d packed.exe", "upx -d packed.exe -o unpacked.exe" ], "for610_sections": [ 4 ], "tags": [ "packer", "unpacker", "compression" ] }, { "id": "scylla", "name": "Scylla", "aliases": [], "description": "Dump processes from memory and reconstruct import address tables (IAT)", "category": "unpacking", "platform": "windows", "in_remnux": false, "labs": [ "4.2", "4.3", "5.4", "5.8", "5.10" ], "typical_usage": [ "Scylla x64 > Attach to process > Dump > IAT Autosearch > Fix Dump" ], "for610_sections": [ 4, 5 ], "tags": [ "memory-dump", "iat-reconstruction", "unpacking" ] }, { "id": "ollydumpex", "name": "OllyDumpEx", "aliases": [], "description": "x64dbg/x32dbg plugin for dumping unpacked process memory to disk", "category": "unpacking", "platform": "windows", "in_remnux": false, "labs": [ "4.3", "5.4", "5.8" ], "typical_usage": [ "Plugins > OllyDumpEx > Dump process" ], "for610_sections": [ 4, 5 ], "tags": [ "memory-dump", "x64dbg-plugin", "unpacking" ] }, { "id": "pe-unmapper", "name": "pe_unmapper", "aliases": [], "description": "Convert dumped PE from virtual memory alignment to raw disk alignment", "category": "unpacking", "platform": "windows", "in_remnux": false, "labs": [ "5.10" ], "typical_usage": [ "pe_unmapper /in dumped.exe /base 400000 /out fixed.exe" ], "for610_sections": [ 5 ], "tags": [ "pe-fixup", "memory-dump", "alignment" ] }, { "id": "setdllcharacteristics", "name": "setdllcharacteristics", "aliases": [], "description": "Modify PE header flags \u2014 commonly used to disable ASLR (DynamicBase)", "category": "unpacking", "platform": "windows", "in_remnux": false, "author": "Didier Stevens", "labs": [ "4.2" ], "typical_usage": [ "setdllcharacteristics -d specimen.exe" ], "for610_sections": [ 4 ], "tags": [ "pe-header", "aslr", "didier-stevens" ] }, { "id": "ilspy", "name": "ILSpy", "aliases": [], "description": ".NET assembly decompiler \u2014 view C#/VB.NET source from compiled .NET binaries", "category": "dotnet-analysis", "platform": "windows", "in_remnux": false, "labs": [ "3.12", "4.8" ], "typical_usage": [ "ILSpy.exe assembly.exe" ], "for610_sections": [ 3, 4 ], "tags": [ "dotnet", "decompiler", "csharp" ] }, { "id": "ilspycmd", "name": "ilspycmd", "aliases": [], "description": "Command-line .NET decompiler (CLI version of ILSpy)", "category": "dotnet-analysis", "platform": "linux", "in_remnux": true, "labs": [ "4.8" ], "typical_usage": [ "ilspycmd assembly.exe > decompiled.cs" ], "for610_sections": [ 4 ], "tags": [ "dotnet", "decompiler", "cli" ] }, { "id": "dnspyex", "name": "dnSpyEx", "aliases": [ "dnSpy" ], "description": ".NET debugger and decompiler \u2014 debug obfuscated/packed .NET malware with breakpoints", "category": "dotnet-analysis", "platform": "windows", "in_remnux": false, "labs": [ "4.8" ], "typical_usage": [ "dnSpyEx.exe assembly.exe" ], "for610_sections": [ 4 ], "tags": [ "dotnet", "debugger", "decompiler" ] }, { "id": "de4dot", "name": "de4dot", "aliases": [], "description": ".NET deobfuscator \u2014 remove obfuscation from .NET assemblies", "category": "dotnet-analysis", "platform": "both", "in_remnux": true, "labs": [ "4.8" ], "typical_usage": [ "de4dot obfuscated.exe" ], "for610_sections": [ 4 ], "tags": [ "dotnet", "deobfuscation" ] }, { "id": "dotpeek", "name": "dotPeek", "aliases": [], "description": "Free JetBrains .NET decompiler \u2014 alternative to ILSpy for viewing .NET source", "category": "dotnet-analysis", "platform": "windows", "in_remnux": false, "labs": [], "typical_usage": [ "dotPeek.exe assembly.exe" ], "for610_sections": [ 4 ], "tags": [ "dotnet", "decompiler", "jetbrains" ] }, { "id": "dotdumper", "name": "DotDumper", "aliases": [], "description": "Execution monitor and memory extractor for automatic .NET malware unpacking", "category": "dotnet-analysis", "platform": "windows", "in_remnux": false, "labs": [], "typical_usage": [ "DotDumper.exe -file chatroom.exe" ], "for610_sections": [ 4 ], "tags": [ "dotnet", "unpacking", "memory-extraction", "automated" ] }, { "id": "spidermonkey", "name": "SpiderMonkey", "aliases": [ "js" ], "description": "Mozilla JavaScript engine \u2014 execute and deobfuscate malicious JavaScript outside a browser", "category": "javascript-analysis", "platform": "linux", "in_remnux": true, "labs": [ "3.6", "3.7", "4.5" ], "typical_usage": [ "js -f malicious.js", "js -f /usr/share/remnux/objects.js -f malicious.js > decoded.js" ], "for610_sections": [ 3, 4 ], "tags": [ "javascript", "deobfuscation", "execution" ] }, { "id": "js-beautify", "name": "js-beautify", "aliases": [], "description": "Format and beautify obfuscated JavaScript code for readability", "category": "javascript-analysis", "platform": "linux", "in_remnux": true, "labs": [ "3.6", "4.5" ], "typical_usage": [ "js-beautify malicious.js > beautified.js" ], "for610_sections": [ 3 ], "tags": [ "javascript", "formatting", "readability" ] }, { "id": "cscript", "name": "CScript", "aliases": [ "cscript.exe" ], "description": "Windows Script Host command-line \u2014 execute JScript/VBScript for AMSI monitoring", "category": "javascript-analysis", "platform": "windows", "in_remnux": false, "labs": [ "3.6" ], "typical_usage": [ "cscript malicious.js" ], "for610_sections": [ 3 ], "tags": [ "javascript", "vbscript", "windows-script-host" ] }, { "id": "powershell-ise", "name": "PowerShell ISE", "aliases": [ "powershell_ise" ], "description": "PowerShell Integrated Scripting Environment \u2014 debug scripts with breakpoints and variable inspection", "category": "powershell-analysis", "platform": "windows", "in_remnux": false, "labs": [ "3.9", "3.11", "4.5" ], "typical_usage": [ "powershell_ise script.ps1" ], "for610_sections": [ 3, 4 ], "tags": [ "powershell", "debugger", "script-analysis" ] }, { "id": "logman", "name": "logman", "aliases": [], "description": "Windows Event Trace session manager \u2014 enable AMSI script content logging", "category": "powershell-analysis", "platform": "windows", "in_remnux": false, "labs": [ "3.6" ], "typical_usage": [ "logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets", "logman stop AMSITrace -ets" ], "for610_sections": [ 3 ], "tags": [ "amsi", "event-tracing", "monitoring" ] }, { "id": "amsiscriptcontentretrieval", "name": "AMSIScriptContentRetrieval", "aliases": [], "description": "Extract monitored script content from AMSI Event Trace logs", "category": "powershell-analysis", "platform": "windows", "in_remnux": false, "labs": [ "3.6" ], "typical_usage": [ "AMSIScriptContentRetrieval AMSITrace.etl > output.txt" ], "for610_sections": [ 3 ], "tags": [ "amsi", "script-extraction" ] }, { "id": "floss", "name": "FLOSS", "aliases": [ "floss" ], "description": "Automatically extract obfuscated strings from malware using static analysis, stack strings, and emulation", "category": "string-deobfuscation", "platform": "both", "in_remnux": true, "labs": [ "5.2", "5.3" ], "typical_usage": [ "floss specimen.exe", "floss specimen.exe > strings-output.txt", "floss --no-static -- specimen.exe" ], "for610_sections": [ 5 ], "tags": [ "strings", "deobfuscation", "automated" ] }, { "id": "xorsearch", "name": "XORSearch", "aliases": [], "description": "Search for XOR/ROL/ROT/SHIFT-encoded patterns including shellcode signatures", "category": "string-deobfuscation", "platform": "linux", "in_remnux": true, "author": "Didier Stevens", "labs": [ "3.5", "5.2" ], "typical_usage": [ "XORSearch -W -d 3 file.bin", "XORSearch -i -s specimen.exe http:" ], "for610_sections": [ 3, 5 ], "tags": [ "xor", "shellcode-detection", "pattern-search", "didier-stevens" ] }, { "id": "brxor-py", "name": "brxor.py", "aliases": [], "description": "Brute-force XOR key detection for single-byte XOR-encoded strings", "category": "string-deobfuscation", "platform": "linux", "in_remnux": true, "labs": [ "5.2" ], "typical_usage": [ "brxor.py specimen.dll" ], "for610_sections": [ 5 ], "tags": [ "xor", "brute-force", "deobfuscation" ] }, { "id": "bbcrack", "name": "bbcrack", "aliases": [], "description": "Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms", "category": "string-deobfuscation", "platform": "linux", "in_remnux": true, "labs": [ "5.2" ], "typical_usage": [ "bbcrack -l 1 specimen.dll" ], "for610_sections": [ 5 ], "tags": [ "xor", "rol", "add", "deobfuscation", "balbuzard" ] }, { "id": "strdeob-pl", "name": "strdeob.pl", "aliases": [], "description": "Automatically decode stack-built strings from disassembled malware", "category": "string-deobfuscation", "platform": "linux", "in_remnux": true, "labs": [ "5.2" ], "typical_usage": [ "strdeob.pl specimen.exe" ], "for610_sections": [ 5 ], "tags": [ "stack-strings", "deobfuscation" ] }, { "id": "cyberchef", "name": "CyberChef", "aliases": [], "description": "Web-based data transformation tool \u2014 decode Base64, XOR, hex, decompress, and chain operations", "category": "string-deobfuscation", "platform": "both", "in_remnux": true, "labs": [ "1.5", "3.8", "3.12" ], "typical_usage": [ "cyberchef" ], "for610_sections": [ 1, 3 ], "tags": [ "decoding", "encoding", "transformation", "web-based" ] }, { "id": "capa", "name": "capa", "aliases": [], "description": "Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog", "category": "yara-detection", "platform": "both", "in_remnux": true, "labs": [ "1.4", "5.4" ], "typical_usage": [ "capa specimen.exe", "capa -vv specimen.exe", "capa -vv specimen.exe | grep -A7 'Suspended Process'" ], "for610_sections": [ 1, 5 ], "tags": [ "capabilities", "mitre-attack", "automated-analysis" ] }, { "id": "yara", "name": "yara", "aliases": [ "yara-rules" ], "description": "Pattern matching tool for identifying and classifying malware using custom rules", "category": "yara-detection", "platform": "both", "in_remnux": true, "labs": [ "3.4" ], "typical_usage": [ "yara-rules specimen.bin", "yara rule.yar specimen.exe" ], "for610_sections": [ 3 ], "tags": [ "pattern-matching", "classification", "rules" ] }, { "id": "1768-py", "name": "1768.py", "aliases": [], "description": "Parse Cobalt Strike beacon configuration from shellcode or memory dumps", "category": "yara-detection", "platform": "linux", "in_remnux": true, "author": "Didier Stevens", "labs": [ "3.4" ], "typical_usage": [ "1768.py shellcode.bin" ], "for610_sections": [ 3 ], "tags": [ "cobalt-strike", "beacon", "c2-config", "didier-stevens" ] }, { "id": "scyllahide", "name": "ScyllaHide", "aliases": [], "description": "x64dbg/x32dbg plugin to hide debugger presence from anti-debugging checks", "category": "anti-analysis", "platform": "windows", "in_remnux": false, "labs": [ "5.3", "5.6" ], "typical_usage": [ "Plugins > ScyllaHide > Options > Enable all" ], "for610_sections": [ 5 ], "tags": [ "anti-debugging", "debugger-hiding", "x64dbg-plugin" ] }, { "id": "xanalyzer", "name": "xAnalyzer", "aliases": [], "description": "x32dbg plugin providing extended analysis \u2014 API parameter names and types in disassembly", "category": "anti-analysis", "platform": "windows", "in_remnux": false, "labs": [ "5.10" ], "typical_usage": [ "Plugins > xAnalyzer" ], "for610_sections": [ 5 ], "tags": [ "x32dbg-plugin", "analysis-enhancement" ] }, { "id": "virustotal", "name": "VirusTotal", "aliases": [ "VT" ], "description": "Multi-engine antivirus scanning, behavioral analysis, and threat intelligence", "category": "online-platforms", "platform": "online", "in_remnux": false, "labs": [], "typical_usage": [ "https://virustotal.com" ], "for610_sections": [ 1 ], "tags": [ "scanning", "multi-engine", "threat-intel" ] }, { "id": "hybrid-analysis", "name": "Hybrid Analysis", "aliases": [], "description": "CrowdStrike automated sandbox for malware detonation and behavioral reporting", "category": "online-platforms", "platform": "online", "in_remnux": false, "labs": [], "typical_usage": [ "https://hybrid-analysis.com" ], "for610_sections": [ 1 ], "tags": [ "sandbox", "behavioral", "crowdstrike" ] }, { "id": "any-run", "name": "Any.run", "aliases": [], "description": "Interactive online malware analysis sandbox with real-time process monitoring", "category": "online-platforms", "platform": "online", "in_remnux": false, "labs": [], "typical_usage": [ "https://any.run" ], "for610_sections": [ 1 ], "tags": [ "sandbox", "interactive", "real-time" ] }, { "id": "cape-sandbox", "name": "CAPE Sandbox", "aliases": [ "CAPE" ], "description": "Automated malware analysis sandbox with payload extraction and config dumping", "category": "online-platforms", "platform": "online", "in_remnux": false, "labs": [], "typical_usage": [ "https://capesandbox.com" ], "for610_sections": [ 1 ], "tags": [ "sandbox", "automated", "payload-extraction" ] }, { "id": "malwarebazaar", "name": "MalwareBazaar", "aliases": [], "description": "Malware sample sharing platform by abuse.ch", "category": "online-platforms", "platform": "online", "in_remnux": false, "labs": [], "typical_usage": [ "https://bazaar.abuse.ch" ], "for610_sections": [ 1 ], "tags": [ "sample-sharing", "repository" ] }, { "id": "intezer-analyze", "name": "Intezer Analyze", "aliases": [], "description": "Automated code analysis platform for malware classification using code reuse detection", "category": "online-platforms", "platform": "online", "in_remnux": false, "labs": [], "typical_usage": [ "https://analyze.intezer.com" ], "for610_sections": [ 1 ], "tags": [ "code-reuse", "classification", "automated" ] }, { "id": "filescan-io", "name": "FileScan.IO", "aliases": [], "description": "Online malware analysis sandbox with multi-format support", "category": "online-platforms", "platform": "online", "in_remnux": false, "labs": [], "typical_usage": [ "https://filescan.io" ], "for610_sections": [ 1 ], "tags": [ "sandbox", "online" ] }, { "id": "urlscan-io", "name": "urlscan.io", "aliases": [], "description": "Website and URL investigation service \u2014 screenshots, DOM analysis, network requests", "category": "online-platforms", "platform": "online", "in_remnux": false, "labs": [], "typical_usage": [ "https://urlscan.io" ], "for610_sections": [ 1 ], "tags": [ "url-analysis", "website-investigation" ] }, { "id": "shodan", "name": "Shodan", "aliases": [], "description": "Search engine for internet-connected devices and exposed services", "category": "online-platforms", "platform": "online", "in_remnux": false, "labs": [], "typical_usage": [ "https://shodan.io" ], "for610_sections": [ 1 ], "tags": [ "infrastructure", "reconnaissance" ] }, { "id": "otx", "name": "Open Threat Exchange", "aliases": [ "OTX", "LevelBlue Labs" ], "description": "Threat intelligence sharing platform for indicators of compromise", "category": "online-platforms", "platform": "online", "in_remnux": false, "labs": [], "typical_usage": [ "https://otx.alienvault.com" ], "for610_sections": [ 1 ], "tags": [ "threat-intel", "ioc-sharing" ] }, { "id": "threatfox", "name": "ThreatFox", "aliases": [], "description": "Threat intelligence platform for sharing IOCs associated with malware", "category": "online-platforms", "platform": "online", "in_remnux": false, "labs": [], "typical_usage": [ "https://threatfox.abuse.ch" ], "for610_sections": [ 1 ], "tags": [ "threat-intel", "ioc-sharing", "abuse-ch" ] }, { "id": "securitytrails", "name": "SecurityTrails", "aliases": [], "description": "Historical DNS records and IP/domain intelligence", "category": "online-platforms", "platform": "online", "in_remnux": false, "labs": [], "typical_usage": [ "https://securitytrails.com" ], "for610_sections": [ 1 ], "tags": [ "dns-history", "domain-intel" ] }, { "id": "unpacme", "name": "UnpacMe", "aliases": [], "description": "Automated online malware unpacking service", "category": "online-platforms", "platform": "online", "in_remnux": false, "labs": [], "typical_usage": [ "https://www.unpac.me" ], "for610_sections": [ 4 ], "tags": [ "unpacking", "automated", "online" ] }, { "id": "vmware-workstation", "name": "VMware Workstation Pro", "aliases": [ "VMware" ], "description": "Desktop hypervisor for running isolated analysis VMs with snapshots and host-only networking", "category": "virtualization", "platform": "both", "in_remnux": false, "labs": [], "typical_usage": [ "vmware" ], "for610_sections": [ 1 ], "tags": [ "hypervisor", "vm", "isolation" ] }, { "id": "vmware-fusion", "name": "VMware Fusion", "aliases": [], "description": "macOS hypervisor for running analysis virtual machines", "category": "virtualization", "platform": "both", "in_remnux": false, "labs": [], "typical_usage": [ "VMware Fusion.app" ], "for610_sections": [ 1 ], "tags": [ "hypervisor", "macos" ] }, { "id": "virtualbox", "name": "VirtualBox", "aliases": [], "description": "Open-source hypervisor for running analysis virtual machines", "category": "virtualization", "platform": "both", "in_remnux": false, "labs": [], "typical_usage": [ "VirtualBox" ], "for610_sections": [ 1 ], "tags": [ "hypervisor", "open-source" ] }, { "id": "visual-studio-code", "name": "Visual Studio Code", "aliases": [ "code", "VS Code" ], "description": "Code editor used for viewing decompiled output, scripts, and analysis results", "category": "utilities", "platform": "both", "in_remnux": true, "labs": [ "1.3", "1.4", "1.5", "3.3", "3.6", "3.7", "4.5", "4.8", "5.2", "5.3" ], "typical_usage": [ "code filename.js" ], "for610_sections": [ 1, 3, 4, 5 ], "tags": [ "editor", "code-viewer" ] }, { "id": "notepadpp", "name": "Notepad++", "aliases": [], "description": "Advanced Windows text editor with syntax highlighting for script analysis", "category": "utilities", "platform": "windows", "in_remnux": false, "labs": [ "3.6", "3.8", "3.9", "3.10", "3.11", "3.12", "4.5" ], "typical_usage": [ "notepad++ script.ps1" ], "for610_sections": [ 3, 4 ], "tags": [ "editor", "windows" ] }, { "id": "jq", "name": "jq", "aliases": [], "description": "Command-line JSON processor for extracting and transforming structured data", "category": "utilities", "platform": "linux", "in_remnux": true, "labs": [ "1.4" ], "typical_usage": [ "cat report.json | jq '.apis'", "jq -r '.entry' report.json" ], "for610_sections": [ 1 ], "tags": [ "json", "data-processing" ] }, { "id": "feh", "name": "feh", "aliases": [], "description": "Lightweight image viewer for viewing extracted images from documents", "category": "utilities", "platform": "linux", "in_remnux": true, "labs": [ "3.1" ], "typical_usage": [ "feh extracted_image.jpg" ], "for610_sections": [ 3 ], "tags": [ "image-viewer" ] }, { "id": "winscp", "name": "WinSCP", "aliases": [], "description": "Windows SCP/SFTP client for transferring files between Windows and Linux VMs", "category": "utilities", "platform": "windows", "in_remnux": false, "labs": [ "4.5" ], "typical_usage": [ "WinSCP.exe" ], "for610_sections": [ 4 ], "tags": [ "file-transfer", "scp" ] }, { "id": "wine", "name": "Wine", "aliases": [], "description": "Windows compatibility layer \u2014 run Windows executables on Linux", "category": "utilities", "platform": "linux", "in_remnux": true, "labs": [ "3.5" ], "typical_usage": [ "wine program.exe" ], "for610_sections": [ 3 ], "tags": [ "windows-compat", "execution" ] }, { "id": "unzip", "name": "unzip", "aliases": [], "description": "Extract ZIP archives containing malware samples", "category": "utilities", "platform": "linux", "in_remnux": true, "labs": [ "1.1", "3.1", "3.3", "3.4", "3.5", "3.6", "3.7", "4.1", "4.8", "5.2", "5.3", "5.4" ], "typical_usage": [ "unzip -P infected sample.zip" ], "for610_sections": [ 1, 3, 4, 5 ], "tags": [ "archive", "extraction" ] }, { "id": "gunzip", "name": "gunzip", "aliases": [], "description": "Decompress gzip-compressed data (often used in multi-stage payload extraction)", "category": "utilities", "platform": "linux", "in_remnux": true, "labs": [ "3.4" ], "typical_usage": [ "gunzip -c compressed.gz > output.bin" ], "for610_sections": [ 3 ], "tags": [ "compression", "extraction" ] }, { "id": "rar", "name": "rar", "aliases": [ "unrar" ], "description": "Extract RAR archives (including self-extracting RAR payloads)", "category": "utilities", "platform": "both", "in_remnux": true, "labs": [ "3.5" ], "typical_usage": [ "rar x archive.rar" ], "for610_sections": [ 3 ], "tags": [ "archive", "extraction" ] }, { "id": "hexdump", "name": "hexdump", "aliases": [], "description": "Display file content in hexadecimal format", "category": "utilities", "platform": "linux", "in_remnux": true, "labs": [], "typical_usage": [ "hexdump -C binary.dat" ], "for610_sections": [ 1 ], "tags": [ "hex", "binary-viewing" ] }, { "id": "xxd", "name": "xxd", "aliases": [], "description": "Create hex dump of a file or reverse a hex dump back to binary", "category": "utilities", "platform": "linux", "in_remnux": true, "labs": [], "typical_usage": [ "xxd binary.exe", "xxd -r hexdump.txt > binary.exe" ], "for610_sections": [ 1 ], "tags": [ "hex", "binary-conversion" ] }, { "id": "binwalk", "name": "binwalk", "aliases": [], "description": "Analyze and extract embedded files and firmware images", "category": "utilities", "platform": "linux", "in_remnux": true, "labs": [], "typical_usage": [ "binwalk firmware.bin", "binwalk -e firmware.bin" ], "for610_sections": [ 1 ], "tags": [ "firmware", "extraction", "embedded-files" ] }, { "id": "wget", "name": "wget", "aliases": [], "description": "Download files from HTTP/HTTPS/FTP servers", "category": "utilities", "platform": "linux", "in_remnux": true, "labs": [], "typical_usage": [ "wget http://example.com/file.bin" ], "for610_sections": [ 1 ], "tags": [ "download", "http" ] }, { "id": "curl", "name": "curl", "aliases": [], "description": "Transfer data to/from servers using various protocols", "category": "utilities", "platform": "linux", "in_remnux": true, "labs": [], "typical_usage": [ "curl -L http://example.com", "curl -o output.bin http://example.com/file" ], "for610_sections": [ 1 ], "tags": [ "download", "http", "transfer" ] }, { "id": "reg-export", "name": "reg_export", "aliases": [], "description": "Extract registry key values to files \u2014 used to recover malware artifacts stored in registry", "category": "utilities", "platform": "windows", "in_remnux": false, "author": "Adam Kramer", "labs": [ "4.5" ], "typical_usage": [ "reg_export HKCU\\software\\keyname valuename output.js" ], "for610_sections": [ 4 ], "tags": [ "registry", "extraction", "windows" ] }, { "id": "regedit", "name": "Regedit", "aliases": [], "description": "Windows Registry Editor for browsing and modifying registry keys", "category": "utilities", "platform": "windows", "in_remnux": false, "labs": [ "4.5" ], "typical_usage": [ "regedit.exe" ], "for610_sections": [ 4 ], "tags": [ "registry", "windows" ] } ] }