# REMnux Docker Container - TLDR Tools Cheat Sheet

## Quick Start
```bash
# Run REMnux container
docker run --rm -it -u remnux -v ~/samples:/home/remnux/files remnux/remnux-distro:focal bash

# Default credentials: remnux/malware
```

---

## 📁 GENERAL FILE ANALYSIS

### 🔧 FILE
**Purpose**: Identify file type using magic numbers  
**Syntax**: `file [filename]`  
**Example**: `file malware.exe`  
**Output**: Shows file type and basic properties

### 🔧 EXIFTOOL
**Purpose**: Extract metadata from files  
**Syntax**: `exiftool [options] [filename]`  
**Example**: `exiftool -a malware.exe`  
**Output**: Displays all metadata tags

### 🔧 TRID
**Purpose**: Identify file types using signatures  
**Syntax**: `trid [filename]`  
**Example**: `trid unknown_file.bin`  
**Output**: Shows percentage probability of file types

### 🔧 DIE (Detect-It-Easy)
**Purpose**: Detect file types and examine properties  
**Syntax**: `die [filename]` or `diec [filename]`  
**Example**: `die malware.exe`  
**Output**: Comprehensive file analysis

### 🔧 YARA
**Purpose**: Pattern matching for malware identification  
**Syntax**: `yara [rulefile] [target]`  
**Example**: `yara rules.yar malware.exe`  
**Output**: Shows matching rules

### 🔧 SSDEEP
**Purpose**: Compute fuzzy hashes for similarity detection  
**Syntax**: `ssdeep [options] [files]`  
**Example**: `ssdeep -b malware1.exe malware2.exe`  
**Output**: Fuzzy hash comparison results

### 🔧 CLAMSCAN
**Purpose**: Scan files for malware signatures  
**Syntax**: `clamscan [options] [file/directory]`  
**Example**: `clamscan --verbose malware.exe`  
**Output**: Virus detection results

### 🔧 BINWALK
**Purpose**: Extract and analyze firmware images  
**Syntax**: `binwalk [options] [filename]`  
**Example**: `binwalk -e firmware.bin`  
**Output**: Extracted files and entropy analysis

### 🔧 BULK_EXTRACTOR
**Purpose**: Extract strings and artifacts from files  
**Syntax**: `bulk_extractor [options] -o [output_dir] [input]`  
**Example**: `bulk_extractor -o output_dir malware.exe`  
**Output**: Directory with extracted artifacts

### 🔧 SIGNSRCH
**Purpose**: Find crypto/compression algorithm signatures  
**Syntax**: `signsrch [filename]`  
**Example**: `signsrch malware.exe`  
**Output**: List of detected algorithms

---

## 📁 PE FILE ANALYSIS

### 🔧 PEFRAME
**Purpose**: Comprehensive PE static analyzer  
**Syntax**: `peframe [options] [pe_file]`  
**Example**: `peframe -j malware.exe`  
**Output**: JSON format analysis report

### 🔧 PEFILE
**Purpose**: Python PE file analysis library  
**Syntax**: `python3 -c "import pefile; pe=pefile.PE('file.exe'); print(pe.dump_info())"`  
**Example**: `pefile-dump malware.exe`  
**Output**: Detailed PE structure information

### 🔧 PESCAN
**Purpose**: Scan PE files for suspicious indicators  
**Syntax**: `pescan [pe_file]`  
**Example**: `pescan malware.exe`  
**Output**: Suspicious characteristics report

### 🔧 MANALYZE
**Purpose**: Advanced PE analyzer with plugins  
**Syntax**: `manalyze [options] [pe_file]`  
**Example**: `manalyze --plugins=all malware.exe`  
**Output**: Comprehensive analysis with threat score

---

## 📁 STRING ANALYSIS & DEOBFUSCATION

### 🔧 STRINGS
**Purpose**: Extract printable strings from files  
**Syntax**: `strings [options] [filename]`  
**Example**: `strings -n 6 malware.exe | head -20`  
**Output**: List of printable strings

### 🔧 FLOSS
**Purpose**: FLARE Obfuscated String Solver  
**Syntax**: `floss [options] [filename]`  
**Example**: `floss --no-static-strings malware.exe`  
**Output**: Deobfuscated strings

### 🔧 BASE64DUMP
**Purpose**: Extract and decode Base64 strings  
**Syntax**: `base64dump.py [options] [filename]`  
**Example**: `base64dump.py -s malware.txt`  
**Output**: Decoded Base64 content

### 🔧 XORSEARCH
**Purpose**: Search for XOR encoded strings  
**Syntax**: `xorsearch [options] [filename] [string]`  
**Example**: `xorsearch -W malware.exe kernel32`  
**Output**: XOR key and decoded strings

### 🔧 CYBERCHEF
**Purpose**: Web-based data transformation tool  
**Setup**: Start with `cyberchef` command  
**Access**: Open browser to http://localhost:8080  
**Usage**: Upload file and apply transformations  
**Output**: Decoded/transformed data

---

## 📁 DISASSEMBLERS & DECOMPILERS

### 🔧 GHIDRA
**Purpose**: NSA reverse engineering framework  
**Syntax**: `ghidra` or `ghidraRun`  
**Usage**: Import malware.exe and analyze  
**Output**: Decompiled C-like code

### 🔧 RADARE2
**Purpose**: Command-line reverse engineering framework  
**Syntax**: `r2 [options] [filename]`  
**Example**: `r2 -A malware.exe`  
**Output**: Interactive analysis session

### 🔧 CUTTER
**Purpose**: GUI for Radare2  
**Syntax**: `cutter [filename]`  
**Example**: `cutter malware.exe`  
**Output**: Graphical disassembly interface

### 🔧 OBJDUMP
**Purpose**: GNU object file dumper  
**Syntax**: `objdump [options] [filename]`  
**Example**: `objdump -d -M intel malware.exe`  
**Output**: Disassembled code

### 🔧 RETDEC-DECOMPILER
**Purpose**: Multi-architecture decompiler  
**Syntax**: `retdec-decompiler [options] [filename]`  
**Example**: `retdec-decompiler malware.exe`  
**Output**: Decompiled C code

---

## 📁 DYNAMIC ANALYSIS & DEBUGGING

### 🔧 GDB
**Purpose**: GNU debugger for Linux binaries  
**Syntax**: `gdb [program]` or `gdb -p [pid]`  
**Example**: `gdb ./malware`  
**Output**: Interactive debugging session

### 🔧 STRACE
**Purpose**: Trace system calls  
**Syntax**: `strace [options] [command]`  
**Example**: `strace -f -e trace=file ./malware`  
**Output**: System call trace

### 🔧 LTRACE
**Purpose**: Trace library calls  
**Syntax**: `ltrace [options] [command]`  
**Example**: `ltrace ./malware`  
**Output**: Library function call trace

### 🔧 FRIDA
**Purpose**: Dynamic instrumentation toolkit  
**Syntax**: `frida [options] [target]`  
**Example**: `frida -l script.js malware`  
**Output**: Runtime manipulation results

---

## 📁 MEMORY FORENSICS

### 🔧 VOLATILITY (v2)
**Purpose**: Memory forensics framework  
**Syntax**: `vol.py -f [memory_dump] --profile=[profile] [plugin]`  
**Example**: `vol.py -f memory.dump --profile=Win7SP1x64 pslist`  
**Output**: Process list from memory

### 🔧 VOLATILITY3 (v3)
**Purpose**: Next-gen memory forensics  
**Syntax**: `vol3 -f [memory_dump] [plugin]`  
**Example**: `vol3 -f memory.dump windows.pslist`  
**Output**: Enhanced process information

### 🔧 REKALL
**Purpose**: Memory forensics and live analysis  
**Syntax**: `rekall -f [memory_dump]`  
**Example**: `rekall -f memory.dump`  
**Output**: Interactive memory analysis

---

## 📁 DOCUMENT ANALYSIS

### 🔧 OLEVBA
**Purpose**: Extract VBA macros from Office documents  
**Syntax**: `olevba [options] [document]`  
**Example**: `olevba --decode malicious.docm`  
**Output**: Extracted and decoded macros

### 🔧 OLEDUMP
**Purpose**: Analyze OLE files and extract objects  
**Syntax**: `oledump.py [options] [olefile]`  
**Example**: `oledump.py -s 3 -d document.docm`  
**Output**: Dumped OLE stream content

### 🔧 PDFID
**Purpose**: Analyze PDF structure for suspicious elements  
**Syntax**: `pdfid.py [options] [pdf_file]`  
**Example**: `pdfid.py suspicious.pdf`  
**Output**: PDF object statistics

### 🔧 PEEPDF
**Purpose**: Interactive PDF analysis tool  
**Syntax**: `peepdf [options] [pdf_file]`  
**Example**: `peepdf -i malicious.pdf`  
**Output**: Interactive PDF exploration

### 🔧 RTFDUMP
**Purpose**: Analyze RTF documents  
**Syntax**: `rtfdump.py [options] [rtf_file]`  
**Example**: `rtfdump.py document.rtf`  
**Output**: RTF structure analysis

---

## 📁 NETWORK ANALYSIS

### 🔧 WIRESHARK
**Purpose**: Network protocol analyzer GUI  
**Syntax**: `wireshark [options] [capture_file]`  
**Example**: `wireshark capture.pcap`  
**Output**: Graphical packet analysis

### 🔧 TSHARK
**Purpose**: Command-line Wireshark  
**Syntax**: `tshark [options]`  
**Example**: `tshark -r capture.pcap -Y http`  
**Output**: Filtered packet information

### 🔧 TCPDUMP
**Purpose**: Capture network packets  
**Syntax**: `tcpdump [options] [expression]`  
**Example**: `tcpdump -i eth0 -w capture.pcap`  
**Output**: Captured network packets

### 🔧 NGREP
**Purpose**: Network grep for packet payloads  
**Syntax**: `ngrep [options] [pattern] [expression]`  
**Example**: `ngrep -i 'GET|POST' port 80`  
**Output**: Matching packet content

---

## 📁 JAVASCRIPT ANALYSIS

### 🔧 BOX-JS
**Purpose**: JavaScript sandbox for analysis  
**Syntax**: `box-js [javascript_file]`  
**Example**: `box-js malicious.js`  
**Output**: Execution trace and IOCs

### 🔧 JS-FILE
**Purpose**: JavaScript file analyzer  
**Syntax**: `js-file [javascript_file]`  
**Example**: `js-file obfuscated.js`  
**Output**: JavaScript analysis report

---

## 📁 ARCHIVE & PACKING

### 🔧 UPX
**Purpose**: Ultimate Packer for eXecutables  
**Syntax**: `upx [options] [files]`  
**Example**: `upx -d packed.exe` (unpack)  
**Output**: Unpacked executable

### 🔧 7Z
**Purpose**: 7-Zip archiver  
**Syntax**: `7z [command] [archive] [files]`  
**Example**: `7z x archive.7z`  
**Output**: Extracted files

### 🔧 UNZIP
**Purpose**: Extract ZIP archives  
**Syntax**: `unzip [options] [zipfile]`  
**Example**: `unzip -l archive.zip`  
**Output**: Archive contents list

---

## 📁 UTILITIES

### 🔧 HEXDUMP
**Purpose**: Display file contents in hexadecimal  
**Syntax**: `hexdump [options] [file]`  
**Example**: `hexdump -C malware.exe | head`  
**Output**: Hex and ASCII representation

### 🔧 XXD
**Purpose**: Hex dump and reverse tool  
**Syntax**: `xxd [options] [file]`  
**Example**: `xxd malware.exe | head -10`  
**Output**: Formatted hex dump

### 🔧 CUT
**Purpose**: Extract columns from text  
**Syntax**: `cut [options] [file]`  
**Example**: `strings malware.exe | cut -c1-50`  
**Output**: Truncated string output

---

## 🚀 Quick Analysis Workflow

```bash
# 1. Basic file identification
file malware.exe
trid malware.exe
exiftool malware.exe

# 2. Hash and scan
md5sum malware.exe
ssdeep malware.exe
clamscan malware.exe

# 3. PE analysis (if Windows executable)
peframe malware.exe
manalyze malware.exe

# 4. String analysis
strings malware.exe | head -50
floss malware.exe

# 5. Pattern matching
yara rules.yar malware.exe

# 6. Static disassembly
r2 -A malware.exe
# or
ghidra malware.exe

# 7. Dynamic analysis (Linux binaries only in container)
strace ./linux_malware
ltrace ./linux_malware
```

---

## 📋 Common Command Combinations

```bash
# Extract and analyze strings
strings malware.exe | grep -i "http\|ftp\|\.exe\|\.dll" | head -20

# Search for Base64 encoded content
base64dump.py malware.exe | head -10

# Look for XOR patterns
xorsearch -W malware.exe http

# Bulk artifact extraction
bulk_extractor -o artifacts malware.exe

# Memory dump analysis
vol.py -f memory.dump --profile=Win7SP1x64 pslist
vol.py -f memory.dump --profile=Win7SP1x64 netscan
```

**Total Tools Covered**: 48 essential REMnux tools  
**Container**: `remnux/remnux-distro:focal`  
**Total Available Tools**: 300+ tools across all categories