irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
master
docker_file_analysis/data/exam-cheatsheets/01-tools.md
T
tobias 1d2427415e Add FOR610 exam cheat sheets (tools, assembly, Windows APIs) 
Three markdown cheat sheets for exam preparation:
- 01-tools.md: All analysis tools with descriptions, platforms, book
  section refs, and key pipe chains
- 02-assembly.md: x86/x64 registers, instructions, calling conventions,
  stack frames, control flow, anti-analysis patterns
- 03-windows-apis.md: All Windows APIs by category with DLLs, malware
  use cases, and technique-to-API mapping table

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-29 22:24:55 +02:00

8.6 KiB
Raw Permalink Blame History

FOR610 Tools Cheat Sheet

Static Analysis

Tool Platform Description Book Ref
PeStudio Windows Examine PE properties, imports, strings, sections, entropy. Highlights malicious indicators automatically S1 p.46
peframe REMnux REMnux alternative to PeStudio — extracts PE properties, detects anomalies S1 p.48
pestr REMnux Extract ASCII and Unicode strings from PE files in one shot (part of Pev toolkit) S1 p.44
strings REMnux Extract ASCII strings from any binary. Use --encoding=l for Unicode S1 p.44
Detect It Easy (diec) Both Identify packers, compilers, and build tools used to create executables S1 p.49
ExeInfo PE Windows Similar to DIE — identifies tools/packers, can "rip" (carve) embedded artifacts S1 p.49
CFF Explorer Windows View/edit PE headers, disable DynamicBase (ASLR) flag S4 p.22
capa REMnux Detect malware capabilities mapped to MITRE ATT&CK and MBC frameworks S1 p.88
FLOSS REMnux Automatically extract obfuscated strings (static + stack + decoded) S5 p.28
file REMnux Identify file type using magic bytes S3
trid REMnux Identify file type using signature database S3
exiftool REMnux Extract metadata from files (author, timestamps, etc.) S1

Document Analysis

Tool Platform Description Book Ref
pdfid.py REMnux Scan PDF for suspicious keywords (/JavaScript, /OpenAction, /Launch, /URI) S3 p.10
pdf-parser.py REMnux Parse PDF structure, locate objects, extract content, search strings, dump objects S3 p.11
peepdf REMnux Interactive PDF analysis framework with JavaScript detection S3
oledump.py REMnux Examine OLE2 files — list streams (M=macro), extract VBA with -s <n> -v S3 p.37
olevba REMnux Extract and deobfuscate VBA macros, detect auto-execute triggers S3
rtfdump.py REMnux Analyze RTF structure — find hex-encoded groups at deep nesting levels S3
base64dump.py REMnux Find, extract, and decode Base64 strings. -n 10 shows top hits, -s <n> -d decodes S3 p.46
numbers-to-string.py REMnux Convert decimal number sequences (from VBA Chr() calls) to readable text S3 p.40
translate.py REMnux Transform bytes with Python expressions: translate.py "byte ^ 35" for XOR S3 p.55

Network Interception

Tool Platform Description Book Ref
Wireshark Windows Network sniffer — capture packets, follow TCP streams, extract payloads S1 p.52
fakedns REMnux Fake DNS server — resolves ALL queries to REMnux IP S1 p.71
INetSim REMnux Emulate internet services: HTTP, HTTPS, DNS, FTP, SMTP, IRC S1 p.123
Fiddler Windows HTTP/HTTPS debugging proxy — intercept, inspect, modify web traffic S3 p.127
httpd REMnux Simple web server (nginx) for simulating C2 S1 p.79
iptables REMnux Redirect IP-based traffic: iptables -t nat -A PREROUTING -i eth0 -j REDIRECT S1

Emulation & Shellcode

Tool Platform Description Book Ref
speakeasy REMnux Emulate Windows API calls without executing. -t <sample> -o report.json S1 p.85
scdbgc Both Shellcode emulator — /f sc.bin /s -1 for API trace, /foff for offset S3 p.57
runsc32 Windows Execute shellcode for dynamic analysis with debugger attachment S3 p.73
box-js REMnux Node.js sandbox for JavaScript analysis with WScript emulation S3 p.95
SpiderMonkey REMnux Mozilla JS engine: js -f /usr/share/remnux/objects.js -f <script> S3 p.84

Code Analysis & Debugging

Tool Platform Description Book Ref
Ghidra Both NSA disassembler/decompiler — function graphs, symbol trees, scripting S2
x64dbg Windows 64-bit debugger — breakpoints, memory inspection, patching S1 p.92
x32dbg Windows 32-bit debugger — same as x64dbg for 32-bit binaries S3-S5
IDA Multi Commercial disassembler with built-in debugger (freeware version available) S2 p.81
Binary Ninja Multi Commercial disassembler, strong for automated analysis S2 p.81
Cutter REMnux Open-source GUI for radare2 S2 p.81

Unpacking

Tool Platform Description Book Ref
UPX Both Unpack UPX-packed files: upx -d packed.exe (fails if modified) S4 p.40
Scylla Windows Dump process from memory + fix IAT (Import Address Table) S4
OllyDumpEx Windows x64dbg/x32dbg plugin for memory dumping at OEP S4
ScyllaHide Windows x64dbg plugin to hide debugger from anti-debug checks S5 p.33
pe_unmapper Windows Convert virtual-aligned dump to raw alignment (by Hasherezade) S5 p.38
setdllcharacteristics Windows Disable ASLR: setdllcharacteristics -d <file> (by Didier Stevens) S4 p.22

.NET Analysis

Tool Platform Description Book Ref
ILSpy Windows .NET decompiler — view C#/VB.NET source from compiled assemblies S3 p.34
ilspycmd REMnux Command-line ILSpy: ilspycmd <assembly> > source.cs S4
dnSpyEx Windows .NET debugger + decompiler — breakpoints on Assembly.Load S3 p.34
de4dot Windows .NET deobfuscator — removes ConfuserEx, Eziriz, etc. S4 p.33

String Deobfuscation

Tool Platform Description Book Ref
XORSearch REMnux Find XOR-encoded shellcode/strings: -W for shellcode patterns, -d 3 skip ROT S3 p.70
brxor.py REMnux Brute-force single-byte XOR — looks for English words in decoded output S5 p.22
bbcrack REMnux Detect XOR, ROL, ADD obfuscation: bbcrack -l 1 <file> S5 p.23
strdeob.pl REMnux Decode stack-built strings (MOV byte-by-byte patterns) S5 p.28
CyberChef Both Visual multi-step decoding (Base64, XOR, hex, decompress). By GCHQ S1 p.107
1768.py REMnux Parse Cobalt Strike beacon configuration from shellcode S3 p.58

Behavioral Analysis

Tool Platform Description Book Ref
System Informer Windows Process monitor — replaces Task Manager. Shows processes, handles, network S1 p.52
Process Monitor Windows Records file system, registry, and process/thread activity in real time S1 p.52
Regshot Windows Compare registry/filesystem state before and after infection S1 p.52
ProcDOT Windows Visualize Process Monitor logs as interactive graphs S1 p.52

PowerShell Analysis

Tool Platform Description Book Ref
PowerShell ISE Windows Debug PS scripts — set breakpoints on Invoke-Expression to intercept S3
logman Windows Enable AMSI tracing: logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface S3
AMSIScriptContentRetrieval Windows Extract monitored script content from AMSI event trace logs S3

YARA & Detection

Tool Platform Description Book Ref
yara / yara-rules REMnux Scan files with community YARA rules for malware families and capabilities S3 p.58
1768.py REMnux Cobalt Strike beacon parser (Didier Stevens) S3 p.58
capa REMnux Capability detection via MITRE ATT&CK mapping S1 p.88

Key Pipe Chains

# Extract Base64 PowerShell from Office macro
oledump.py <doc> -s <stream> -d | base64dump.py -s 1 -d > payload.ps1

# VBA number array → readable text
oledump.py <doc> -s <stream> -v | numbers-to-string.py -j

# Multi-stage decode: Base64 → gunzip
base64dump.py <script.ps1> -s 3 -d | gunzip > decoded.ps1

# XOR decode shellcode
base64dump.py <script.ps1> -s 2 -d | translate.py "byte ^ 35" > sc.bin

# RTF shellcode extraction + emulation
rtfdump.py <doc> -s 5 -H -d > sc.bin
scdbgc /f sc.bin /foff 3B /s -1

# JavaScript deobfuscation
js -f /usr/share/remnux/objects.js -f <malicious.js> > decoded.js

# Speakeasy emulation + API extraction
speakeasy -t <sample> -o report.json 2> report.txt
jq '.entry_points[].apis[].api_name' report.json | sort -u

# CAPA capability filtering
capa -vv <sample> | grep -A7 "inject"
Reference in New Issue View Git Blame Copy Permalink