irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
master
docker_file_analysis/data/for610/tools.yaml
T
tobias f3ccc09c3d Add FOR610 tool/workflow knowledge base and data pipeline 
Build comprehensive malware analysis knowledge base from 3 sources:
- SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes
- REMnux salt-states: 340 packages parsed from GitHub
- REMnux docs: 280+ tools scraped from docs.remnux.org

Master inventory merges all sources into 447 tools with help tiers
(rich/standard/basic). Pipeline generates: tools.db (397 entries),
397 cheatsheets with multi-tool recipes, 15 workflow guides, 224
TLDR pages, and coverage reports.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00

1688 lines
48 KiB
YAML
Raw Permalink Blame History

# FOR610 Master Tool Catalog
# Comprehensive inventory of all tools referenced in SANS FOR610 course
# Each tool includes platform, availability, lab references, and usage examples
tools:
# ============================================================
# PDF ANALYSIS
# ============================================================
- id: pdfid-py
name: "pdfid.py"
aliases: ["pdfid"]
description: "Scan PDF files for suspicious keywords like /JavaScript, /OpenAction, /Launch without parsing"
category: pdf-analysis
platform: linux
in_remnux: true
author: "Didier Stevens"
labs: ["3.1"]
typical_usage:
- "pdfid.py document.pdf"
- "pdfid.py -n document.pdf"
for610_sections: [1, 3]
tags: [pdf, static-analysis, triage, didier-stevens]
- id: pdf-parser-py
name: "pdf-parser.py"
aliases: ["pdf-parser"]
description: "Parse PDF structure, locate objects, extract content, and search for strings"
category: pdf-analysis
platform: linux
in_remnux: true
author: "Didier Stevens"
labs: ["3.1"]
typical_usage:
- "pdf-parser.py document.pdf -a"
- "pdf-parser.py document.pdf -s /URI"
- "pdf-parser.py document.pdf -k /URI"
- "pdf-parser.py document.pdf -o 6 -d object6.jpg"
for610_sections: [1, 3]
tags: [pdf, static-analysis, object-extraction, didier-stevens]
- id: peepdf
name: "peepdf"
aliases: []
description: "Interactive PDF analysis framework with JavaScript detection and exploitation capabilities"
category: pdf-analysis
platform: linux
in_remnux: true
labs: []
typical_usage:
- "peepdf -i malicious.pdf"
- "peepdf -f -i malicious.pdf"
for610_sections: [1]
tags: [pdf, interactive, javascript-detection]
- id: pdftool-py
name: "pdftool.py"
aliases: []
description: "Analyze PDF incremental updates"
category: pdf-analysis
platform: linux
in_remnux: true
author: "Didier Stevens"
labs: []
typical_usage:
- "pdftool.py document.pdf"
for610_sections: [1]
tags: [pdf, didier-stevens]
- id: pdfresurrect
name: "pdfresurrect"
aliases: []
description: "Extract and analyze previous versions from PDF files"
category: pdf-analysis
platform: linux
in_remnux: true
labs: []
typical_usage:
- "pdfresurrect document.pdf"
for610_sections: [1]
tags: [pdf, versioning]
- id: qpdf
name: "qpdf"
aliases: []
description: "Decrypt, linearize, and transform PDF files — useful for removing password protection"
category: pdf-analysis
platform: linux
in_remnux: true
labs: []
typical_usage:
- "qpdf --decrypt encrypted.pdf output.pdf"
for610_sections: [3]
tags: [pdf, decryption, transformation]
- id: pdftk
name: "pdftk"
aliases: []
description: "Manipulate PDF files — merge, split, flatten, encrypt, and extract embedded content"
category: pdf-analysis
platform: linux
in_remnux: true
labs: []
typical_usage:
- "pdftk input.pdf cat output output.pdf flatten"
- "pdftk input.pdf unpack_files"
for610_sections: [3]
tags: [pdf, manipulation, extraction]
# ============================================================
# DOCUMENT & MACRO ANALYSIS
# ============================================================
- id: oledump-py
name: "oledump.py"
aliases: ["oledump"]
description: "Analyze OLE2 files (Office documents), extract streams and VBA macros"
category: document-analysis
platform: linux
in_remnux: true
author: "Didier Stevens"
labs: ["3.3", "3.4", "4.5"]
typical_usage:
- "oledump.py document.docm"
- "oledump.py document.docm -s A3 -v"
- "oledump.py document.docm -i"
for610_sections: [3, 4]
tags: [office, vba, macro, ole, didier-stevens]
- id: olevba
name: "olevba"
aliases: []
description: "Extract and analyze VBA macros from Office documents with deobfuscation"
category: document-analysis
platform: linux
in_remnux: true
labs: []
typical_usage:
- "olevba document.docm"
- "olevba --deobf document.docm"
for610_sections: [3]
tags: [office, vba, macro, deobfuscation]
- id: evilclippy
name: "evilclippy"
aliases: []
description: "Remove VBA project password protection and manipulate Office macro settings"
category: document-analysis
platform: both
in_remnux: true
labs: []
typical_usage:
- "evilclippy -uu document.docm"
for610_sections: [3]
tags: [office, vba, password-removal]
- id: rtfdump-py
name: "rtfdump.py"
aliases: ["rtfdump"]
description: "Analyze RTF file structure, identify hex-encoded groups and embedded objects"
category: document-analysis
platform: linux
in_remnux: true
author: "Didier Stevens"
labs: ["3.5"]
typical_usage:
- "rtfdump.py document.rtf"
- "rtfdump.py document.rtf -s 5 -H -d > extracted.bin"
for610_sections: [3]
tags: [rtf, document, didier-stevens]
- id: base64dump-py
name: "base64dump.py"
aliases: ["base64dump"]
description: "Extract and decode Base64-encoded strings from files"
category: document-analysis
platform: linux
in_remnux: true
author: "Didier Stevens"
labs: ["3.4", "4.5"]
typical_usage:
- "base64dump.py file.txt"
- "base64dump.py file.ps1 -n 10"
- "base64dump.py file.ps1 -s 2 -d"
for610_sections: [3, 4]
tags: [base64, decoding, didier-stevens]
- id: emldump-py
name: "emldump.py"
aliases: ["emldump"]
description: "Parse and analyze EML email message files"
category: document-analysis
platform: linux
in_remnux: true
author: "Didier Stevens"
labs: []
typical_usage:
- "emldump.py message.eml"
for610_sections: [3]
tags: [email, eml, didier-stevens]
- id: zipdump-py
name: "zipdump.py"
aliases: ["zipdump"]
description: "Parse and analyze ZIP archive structure"
category: document-analysis
platform: linux
in_remnux: true
author: "Didier Stevens"
labs: []
typical_usage:
- "zipdump.py archive.zip"
for610_sections: [3]
tags: [zip, archive, didier-stevens]
- id: numbers-to-string-py
name: "numbers-to-string.py"
aliases: []
description: "Convert sequences of decimal numbers to readable characters"
category: document-analysis
platform: linux
in_remnux: true
author: "Didier Stevens"
labs: ["3.3"]
typical_usage:
- "oledump.py doc.docm -s A3 -v | numbers-to-string.py -j"
for610_sections: [3]
tags: [decoding, deobfuscation, didier-stevens]
- id: translate-py
name: "translate.py"
aliases: []
description: "Transform data using Python expressions (XOR, ADD, etc.)"
category: document-analysis
platform: linux
in_remnux: true
author: "Didier Stevens"
labs: ["3.4"]
typical_usage:
- "translate.py \"byte ^ 35\" < input.bin > output.bin"
for610_sections: [3]
tags: [xor, transformation, decoding, didier-stevens]
# ============================================================
# STATIC ANALYSIS (PE)
# ============================================================
- id: pestudio
name: "PeStudio"
aliases: []
description: "GUI tool for examining static properties of PE files — imports, strings, sections, entropy, indicators"
category: static-analysis-pe
platform: windows
in_remnux: false
labs: ["1.1", "1.5", "2.7", "3.10", "3.12", "4.1", "4.2", "4.3", "4.7", "4.8", "5.3", "5.4", "5.8", "5.9", "5.10"]
typical_usage:
- "pestudio.exe specimen.exe"
for610_sections: [1, 2, 3, 4, 5]
tags: [pe, static-analysis, imports, strings, entropy, triage]
- id: peframe
name: "peframe"
aliases: []
description: "Static analysis of PE files — extract properties, detect anomalies, identify packers"
category: static-analysis-pe
platform: linux
in_remnux: true
labs: ["1.1", "4.8"]
typical_usage:
- "peframe specimen.exe"
for610_sections: [1, 4]
tags: [pe, static-analysis, triage]
- id: pestr
name: "pestr"
aliases: []
description: "Extract ASCII and Unicode strings from PE files"
category: static-analysis-pe
platform: linux
in_remnux: true
labs: ["1.1", "4.8"]
typical_usage:
- "pestr specimen.exe"
for610_sections: [1, 4]
tags: [pe, strings, static-analysis]
- id: strings
name: "strings"
aliases: []
description: "Extract printable ASCII and Unicode strings from binary files"
category: static-analysis-pe
platform: linux
in_remnux: true
labs: ["3.4", "5.2"]
typical_usage:
- "strings binary.exe"
- "strings -n 10 binary.exe"
- "strings --encoding=l binary.exe"
for610_sections: [1, 3]
tags: [strings, static-analysis, triage]
- id: bytehist
name: "Bytehist"
aliases: []
description: "Generate byte-usage histograms to visually identify packed or encrypted sections in binaries"
category: static-analysis-pe
platform: both
in_remnux: true
labs: []
typical_usage:
- "bytehist specimen.exe"
for610_sections: [1, 4]
tags: [pe, entropy, packing-detection, histogram]
- id: diec
name: "diec"
aliases: ["Detect It Easy", "DIE"]
description: "Detect packers, compilers, and tools used to create executables"
category: static-analysis-pe
platform: both
in_remnux: true
labs: ["4.1"]
typical_usage:
- "diec specimen.exe"
for610_sections: [1, 4]
tags: [pe, packer-detection, compiler-detection]
- id: exeinfo-pe
name: "ExeInfo PE"
aliases: ["ExeInfoPE", "ExeInfo"]
description: "Identify tools and packers used to create PE executables"
category: static-analysis-pe
platform: windows
in_remnux: false
labs: ["3.12"]
typical_usage:
- "ExeInfoPE.exe specimen.exe"
for610_sections: [1, 3]
tags: [pe, packer-detection]
- id: cff-explorer
name: "CFF Explorer"
aliases: []
description: "View and edit PE file headers, sections, imports, and resources"
category: static-analysis-pe
platform: windows
in_remnux: false
labs: []
typical_usage:
- "CFF Explorer specimen.exe"
for610_sections: [1]
tags: [pe, header-editing, resources]
- id: file
name: "file"
aliases: []
description: "Determine file type and MIME type using magic bytes"
category: static-analysis-pe
platform: linux
in_remnux: true
labs: ["3.4", "3.5"]
typical_usage:
- "file specimen.exe"
- "file document.doc"
for610_sections: [3]
tags: [file-identification, triage]
- id: trid
name: "trid"
aliases: []
description: "Identify file type by scanning binary signatures database"
category: static-analysis-pe
platform: linux
in_remnux: true
labs: ["3.3", "3.4"]
typical_usage:
- "trid document.doc"
for610_sections: [3]
tags: [file-identification, triage]
- id: exiftool
name: "exiftool"
aliases: []
description: "Extract metadata from files (PDF, images, documents, executables)"
category: static-analysis-pe
platform: linux
in_remnux: true
labs: []
typical_usage:
- "exiftool document.pdf"
- "exiftool specimen.exe"
for610_sections: [1]
tags: [metadata, triage]
# ============================================================
# BEHAVIORAL ANALYSIS
# ============================================================
- id: system-informer
name: "System Informer"
aliases: ["Process Hacker"]
description: "Monitor processes, network connections, handles, and system resources in real time"
category: behavioral-analysis
platform: windows
in_remnux: false
labs: ["1.2", "1.3", "1.6", "1.7", "1.8", "4.2", "4.5", "5.1"]
typical_usage:
- "SystemInformer.exe"
for610_sections: [1, 4, 5]
tags: [process-monitoring, handles, network, real-time]
- id: process-monitor
name: "Process Monitor"
aliases: ["ProcMon", "procmon"]
description: "Record file system, registry, process, and thread activity in real time"
category: behavioral-analysis
platform: windows
in_remnux: false
labs: ["1.2", "4.5"]
typical_usage:
- "Procmon.exe"
for610_sections: [1, 4]
tags: [filesystem, registry, process-monitoring, real-time]
- id: regshot
name: "Regshot"
aliases: []
description: "Take and compare registry/filesystem snapshots before and after infection"
category: behavioral-analysis
platform: windows
in_remnux: false
labs: ["1.2"]
typical_usage:
- "Regshot-x64-Unicode.exe"
for610_sections: [1]
tags: [registry, filesystem, snapshot, comparison]
- id: procdot
name: "ProcDOT"
aliases: []
description: "Visualize Process Monitor logs as interactive graphs for behavioral analysis"
category: behavioral-analysis
platform: both
in_remnux: true
labs: ["1.2", "4.5"]
typical_usage:
- "procdot"
for610_sections: [1, 4]
tags: [visualization, process-monitor, behavioral]
- id: autoruns
name: "Autoruns"
aliases: []
description: "View and manage all autostart locations — startup programs, services, drivers, scheduled tasks"
category: behavioral-analysis
platform: windows
in_remnux: false
labs: []
typical_usage:
- "Autoruns.exe"
for610_sections: [1]
tags: [persistence, autostart, startup]
- id: api-monitor
name: "API Monitor"
aliases: []
description: "Monitor and record API calls made by processes"
category: behavioral-analysis
platform: windows
in_remnux: false
labs: []
typical_usage:
- "apimonitor-x64.exe"
for610_sections: [1]
tags: [api-calls, monitoring, dynamic-analysis]
- id: tcplogview
name: "TcpLogView"
aliases: []
description: "Log opened and closed TCP connections with process information"
category: behavioral-analysis
platform: windows
in_remnux: false
labs: []
typical_usage:
- "TcpLogView.exe"
for610_sections: [1]
tags: [network, tcp, connection-logging]
# ============================================================
# NETWORK ANALYSIS & INTERCEPTION
# ============================================================
- id: wireshark
name: "Wireshark"
aliases: []
description: "GUI network protocol analyzer for capturing and inspecting packet-level traffic"
category: network-analysis
platform: both
in_remnux: true
labs: ["1.2", "1.3", "1.6", "1.7", "1.8", "5.1"]
typical_usage:
- "wireshark"
- "wireshark -r capture.pcap"
for610_sections: [1, 5]
tags: [packet-capture, protocol-analysis, network]
- id: tshark
name: "tshark"
aliases: []
description: "Command-line interface to Wireshark for packet capture and analysis"
category: network-analysis
platform: both
in_remnux: true
labs: []
typical_usage:
- "tshark -r capture.pcap"
- "tshark -i eth0 -w capture.pcap"
for610_sections: [1]
tags: [packet-capture, cli, network]
- id: tcpdump
name: "tcpdump"
aliases: []
description: "Command-line packet capture tool"
category: network-analysis
platform: linux
in_remnux: true
labs: []
typical_usage:
- "tcpdump -i eth0 -w capture.pcap"
- "tcpdump -r capture.pcap"
for610_sections: [1]
tags: [packet-capture, cli, network]
- id: fiddler
name: "Fiddler"
aliases: []
description: "HTTP/HTTPS debugging proxy for intercepting, inspecting, and modifying web traffic"
category: network-analysis
platform: windows
in_remnux: false
labs: ["3.2", "3.8", "3.9", "3.10", "3.11", "3.12", "4.5"]
typical_usage:
- "Fiddler.exe"
for610_sections: [3, 4]
tags: [http, https, proxy, web-traffic]
- id: fakedns
name: "fakedns"
aliases: []
description: "Fake DNS server that resolves all queries to a specified IP for traffic interception"
category: network-analysis
platform: linux
in_remnux: true
labs: ["1.3", "1.6", "1.7", "1.8"]
typical_usage:
- "fakedns"
for610_sections: [1]
tags: [dns, spoofing, interception, lab-setup]
- id: inetsim
name: "INetSim"
aliases: []
description: "Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for malware analysis in isolated labs"
category: network-analysis
platform: linux
in_remnux: true
labs: ["1.7"]
typical_usage:
- "inetsim"
for610_sections: [1]
tags: [service-emulation, network-simulation, lab-setup]
- id: httpd
name: "httpd"
aliases: ["accept-all-ips"]
description: "Simple HTTP server on REMnux for simulating C2 web servers"
category: network-analysis
platform: linux
in_remnux: true
labs: ["1.3", "1.6", "1.8"]
typical_usage:
- "httpd"
for610_sections: [1]
tags: [http, web-server, c2-simulation, lab-setup]
- id: iptables
name: "iptables"
aliases: []
description: "Linux firewall and NAT tool for redirecting IP-based malware traffic"
category: network-analysis
platform: linux
in_remnux: true
labs: ["1.8"]
typical_usage:
- "iptables -t nat -A PREROUTING -i ens32 -j REDIRECT"
for610_sections: [1]
tags: [firewall, nat, traffic-redirection]
- id: netcat
name: "nc"
aliases: ["netcat"]
description: "Network utility for reading/writing data across TCP/UDP connections"
category: network-analysis
platform: both
in_remnux: true
labs: []
typical_usage:
- "nc -l -p 3127"
- "nc target_ip 80"
for610_sections: [1]
tags: [network, tcp, listener]
- id: nslookup
name: "nslookup"
aliases: []
description: "DNS query tool for testing name resolution"
category: network-analysis
platform: both
in_remnux: true
labs: ["1.3"]
typical_usage:
- "nslookup domain.com"
for610_sections: [1]
tags: [dns, testing]
- id: thug
name: "Thug"
aliases: []
description: "Low-interaction honeyclient for analyzing malicious websites and drive-by downloads"
category: network-analysis
platform: linux
in_remnux: true
labs: []
typical_usage:
- "thug -u win7chrome49 http://suspicious-site.com"
for610_sections: [3]
tags: [honeyclient, web-analysis, drive-by]
- id: burp-suite
name: "Burp Suite"
aliases: ["Burp"]
description: "Web application security proxy for intercepting and modifying HTTP/HTTPS traffic"
category: network-analysis
platform: both
in_remnux: false
labs: []
typical_usage:
- "burpsuite"
for610_sections: [3]
tags: [http, https, proxy, web-security]
- id: torsocks
name: "torsocks"
aliases: []
description: "Route network traffic through the Tor anonymity network"
category: network-analysis
platform: linux
in_remnux: true
labs: []
typical_usage:
- "torsocks curl http://example.onion"
for610_sections: [1]
tags: [tor, anonymity, network-routing]
# ============================================================
# CODE ANALYSIS & DISASSEMBLY
# ============================================================
- id: ghidra
name: "Ghidra"
aliases: []
description: "Open-source disassembler and decompiler from NSA with scripting, function graphs, and data type management"
category: code-analysis
platform: both
in_remnux: true
labs: ["2.1", "2.2", "2.3", "2.4", "2.5", "2.6", "2.7", "2.8", "4.9", "5.2", "5.4", "5.5", "5.6", "5.7", "5.9"]
typical_usage:
- "ghidra"
for610_sections: [2, 4, 5]
tags: [disassembly, decompilation, code-analysis, function-graph]
- id: ida
name: "IDA"
aliases: ["IDA Pro", "IDA Freeware"]
description: "Commercial interactive disassembler and debugger from Hex-Rays"
category: code-analysis
platform: both
in_remnux: false
labs: []
typical_usage:
- "ida64.exe specimen.exe"
for610_sections: [2]
tags: [disassembly, decompilation, commercial]
- id: binary-ninja
name: "Binary Ninja"
aliases: []
description: "Commercial disassembler with strong automated analysis and scripting"
category: code-analysis
platform: both
in_remnux: false
labs: []
typical_usage:
- "binaryninja specimen.exe"
for610_sections: [2]
tags: [disassembly, commercial]
- id: cutter
name: "Cutter"
aliases: []
description: "Open-source reverse engineering platform — Qt-based GUI for radare2"
category: code-analysis
platform: both
in_remnux: true
labs: []
typical_usage:
- "cutter specimen.exe"
for610_sections: [2]
tags: [disassembly, radare2, open-source]
- id: radare2
name: "radare2"
aliases: ["r2"]
description: "Open-source reverse engineering command-line framework"
category: code-analysis
platform: both
in_remnux: true
labs: []
typical_usage:
- "r2 specimen.exe"
for610_sections: [2]
tags: [disassembly, cli, open-source]
# ============================================================
# DEBUGGING
# ============================================================
- id: x64dbg
name: "x64dbg"
aliases: []
description: "Open-source 64-bit debugger for dynamic malware analysis — breakpoints, memory inspection, patching"
category: debugging
platform: windows
in_remnux: false
labs: ["1.5", "4.3", "4.4", "5.1"]
typical_usage:
- "x64dbg.exe specimen.exe"
for610_sections: [1, 4, 5]
tags: [debugger, 64-bit, dynamic-analysis, breakpoints]
- id: x32dbg
name: "x32dbg"
aliases: []
description: "Open-source 32-bit debugger for dynamic malware analysis — breakpoints, memory inspection, patching"
category: debugging
platform: windows
in_remnux: false
labs: ["3.5", "3.10", "4.6", "4.7", "5.3", "5.4", "5.5", "5.6", "5.7", "5.8", "5.9", "5.10"]
typical_usage:
- "x32dbg.exe specimen.exe"
for610_sections: [3, 4, 5]
tags: [debugger, 32-bit, dynamic-analysis, breakpoints]
- id: ollydbg
name: "OllyDbg"
aliases: []
description: "Classic 32-bit debugger for Windows (legacy, predecessor to x32dbg)"
category: debugging
platform: windows
in_remnux: false
labs: []
typical_usage:
- "ollydbg.exe specimen.exe"
for610_sections: [4, 5]
tags: [debugger, 32-bit, legacy]
- id: windbg
name: "WinDbg"
aliases: []
description: "Microsoft Windows debugger for kernel and user-mode debugging"
category: debugging
platform: windows
in_remnux: false
labs: []
typical_usage:
- "windbg.exe specimen.exe"
for610_sections: [2]
tags: [debugger, kernel, microsoft]
# ============================================================
# EMULATION & SANDBOXING
# ============================================================
- id: speakeasy
name: "speakeasy"
aliases: []
description: "Windows binary emulator — emulates API calls to analyze malware behavior without native execution"
category: emulation
platform: linux
in_remnux: true
labs: ["1.4"]
typical_usage:
- "speakeasy -t specimen.exe -o report.json 2> report.txt"
- "speakeasy -t shellcode.bin -r -a x86"
for610_sections: [1]
tags: [emulation, api-calls, behavioral-analysis]
- id: scdbgc
name: "scdbgc"
aliases: ["scdbg"]
description: "Shellcode emulator — analyze shellcode behavior through API-level emulation"
category: emulation
platform: both
in_remnux: true
labs: ["3.4", "3.5", "4.6"]
typical_usage:
- "scdbgc /f shellcode.bin /s -1"
- "scdbgc /f shellcode.bin /foff 0x3B /fopen qa.doc"
- "scdbgc /f shellcode.bin /s -1 /norw"
for610_sections: [3, 4]
tags: [shellcode, emulation, api-calls]
- id: runsc32
name: "runsc32"
aliases: ["runsc"]
description: "Execute extracted shellcode for dynamic analysis"
category: emulation
platform: windows
in_remnux: false
labs: ["3.5", "4.6"]
typical_usage:
- "runsc32 -f shellcode.bin -o 0x3B -d qa.doc"
for610_sections: [3, 4]
tags: [shellcode, execution, dynamic-analysis]
- id: box-js
name: "box-js"
aliases: []
description: "JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript APIs"
category: emulation
platform: linux
in_remnux: true
labs: []
typical_usage:
- "box-js --output-dir=/tmp suspicious.js"
for610_sections: [3]
tags: [javascript, sandbox, emulation]
# ============================================================
# UNPACKING & DUMPING
# ============================================================
- id: upx
name: "UPX"
aliases: ["upx"]
description: "Universal Packer for eXecutables — compress and decompress PE files"
category: unpacking
platform: both
in_remnux: true
labs: ["4.2"]
typical_usage:
- "upx -d packed.exe"
- "upx -d packed.exe -o unpacked.exe"
for610_sections: [4]
tags: [packer, unpacker, compression]
- id: scylla
name: "Scylla"
aliases: []
description: "Dump processes from memory and reconstruct import address tables (IAT)"
category: unpacking
platform: windows
in_remnux: false
labs: ["4.2", "4.3", "5.4", "5.8", "5.10"]
typical_usage:
- "Scylla x64 > Attach to process > Dump > IAT Autosearch > Fix Dump"
for610_sections: [4, 5]
tags: [memory-dump, iat-reconstruction, unpacking]
- id: ollydumpex
name: "OllyDumpEx"
aliases: []
description: "x64dbg/x32dbg plugin for dumping unpacked process memory to disk"
category: unpacking
platform: windows
in_remnux: false
labs: ["4.3", "5.4", "5.8"]
typical_usage:
- "Plugins > OllyDumpEx > Dump process"
for610_sections: [4, 5]
tags: [memory-dump, x64dbg-plugin, unpacking]
- id: pe-unmapper
name: "pe_unmapper"
aliases: []
description: "Convert dumped PE from virtual memory alignment to raw disk alignment"
category: unpacking
platform: windows
in_remnux: false
labs: ["5.10"]
typical_usage:
- "pe_unmapper /in dumped.exe /base 400000 /out fixed.exe"
for610_sections: [5]
tags: [pe-fixup, memory-dump, alignment]
- id: setdllcharacteristics
name: "setdllcharacteristics"
aliases: []
description: "Modify PE header flags — commonly used to disable ASLR (DynamicBase)"
category: unpacking
platform: windows
in_remnux: false
author: "Didier Stevens"
labs: ["4.2"]
typical_usage:
- "setdllcharacteristics -d specimen.exe"
for610_sections: [4]
tags: [pe-header, aslr, didier-stevens]
# ============================================================
# .NET ANALYSIS
# ============================================================
- id: ilspy
name: "ILSpy"
aliases: []
description: ".NET assembly decompiler — view C#/VB.NET source from compiled .NET binaries"
category: dotnet-analysis
platform: windows
in_remnux: false
labs: ["3.12", "4.8"]
typical_usage:
- "ILSpy.exe assembly.exe"
for610_sections: [3, 4]
tags: [dotnet, decompiler, csharp]
- id: ilspycmd
name: "ilspycmd"
aliases: []
description: "Command-line .NET decompiler (CLI version of ILSpy)"
category: dotnet-analysis
platform: linux
in_remnux: true
labs: ["4.8"]
typical_usage:
- "ilspycmd assembly.exe > decompiled.cs"
for610_sections: [4]
tags: [dotnet, decompiler, cli]
- id: dnspyex
name: "dnSpyEx"
aliases: ["dnSpy"]
description: ".NET debugger and decompiler — debug obfuscated/packed .NET malware with breakpoints"
category: dotnet-analysis
platform: windows
in_remnux: false
labs: ["4.8"]
typical_usage:
- "dnSpyEx.exe assembly.exe"
for610_sections: [4]
tags: [dotnet, debugger, decompiler]
- id: de4dot
name: "de4dot"
aliases: []
description: ".NET deobfuscator — remove obfuscation from .NET assemblies"
category: dotnet-analysis
platform: both
in_remnux: true
labs: ["4.8"]
typical_usage:
- "de4dot obfuscated.exe"
for610_sections: [4]
tags: [dotnet, deobfuscation]
- id: dotpeek
name: "dotPeek"
aliases: []
description: "Free JetBrains .NET decompiler — alternative to ILSpy for viewing .NET source"
category: dotnet-analysis
platform: windows
in_remnux: false
labs: []
typical_usage:
- "dotPeek.exe assembly.exe"
for610_sections: [4]
tags: [dotnet, decompiler, jetbrains]
- id: dotdumper
name: "DotDumper"
aliases: []
description: "Execution monitor and memory extractor for automatic .NET malware unpacking"
category: dotnet-analysis
platform: windows
in_remnux: false
labs: []
typical_usage:
- "DotDumper.exe -file chatroom.exe"
for610_sections: [4]
tags: [dotnet, unpacking, memory-extraction, automated]
# ============================================================
# JAVASCRIPT ANALYSIS
# ============================================================
- id: spidermonkey
name: "SpiderMonkey"
aliases: ["js"]
description: "Mozilla JavaScript engine — execute and deobfuscate malicious JavaScript outside a browser"
category: javascript-analysis
platform: linux
in_remnux: true
labs: ["3.6", "3.7", "4.5"]
typical_usage:
- "js -f malicious.js"
- "js -f /usr/share/remnux/objects.js -f malicious.js > decoded.js"
for610_sections: [3, 4]
tags: [javascript, deobfuscation, execution]
- id: js-beautify
name: "js-beautify"
aliases: []
description: "Format and beautify obfuscated JavaScript code for readability"
category: javascript-analysis
platform: linux
in_remnux: true
labs: ["3.6", "4.5"]
typical_usage:
- "js-beautify malicious.js > beautified.js"
for610_sections: [3]
tags: [javascript, formatting, readability]
- id: cscript
name: "CScript"
aliases: ["cscript.exe"]
description: "Windows Script Host command-line — execute JScript/VBScript for AMSI monitoring"
category: javascript-analysis
platform: windows
in_remnux: false
labs: ["3.6"]
typical_usage:
- "cscript malicious.js"
for610_sections: [3]
tags: [javascript, vbscript, windows-script-host]
# ============================================================
# POWERSHELL ANALYSIS
# ============================================================
- id: powershell-ise
name: "PowerShell ISE"
aliases: ["powershell_ise"]
description: "PowerShell Integrated Scripting Environment — debug scripts with breakpoints and variable inspection"
category: powershell-analysis
platform: windows
in_remnux: false
labs: ["3.9", "3.11", "4.5"]
typical_usage:
- "powershell_ise script.ps1"
for610_sections: [3, 4]
tags: [powershell, debugger, script-analysis]
- id: logman
name: "logman"
aliases: []
description: "Windows Event Trace session manager — enable AMSI script content logging"
category: powershell-analysis
platform: windows
in_remnux: false
labs: ["3.6"]
typical_usage:
- "logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets"
- "logman stop AMSITrace -ets"
for610_sections: [3]
tags: [amsi, event-tracing, monitoring]
- id: amsiscriptcontentretrieval
name: "AMSIScriptContentRetrieval"
aliases: []
description: "Extract monitored script content from AMSI Event Trace logs"
category: powershell-analysis
platform: windows
in_remnux: false
labs: ["3.6"]
typical_usage:
- "AMSIScriptContentRetrieval AMSITrace.etl > output.txt"
for610_sections: [3]
tags: [amsi, script-extraction]
# ============================================================
# STRING & DATA DEOBFUSCATION
# ============================================================
- id: floss
name: "FLOSS"
aliases: ["floss"]
description: "Automatically extract obfuscated strings from malware using static analysis, stack strings, and emulation"
category: string-deobfuscation
platform: both
in_remnux: true
labs: ["5.2", "5.3"]
typical_usage:
- "floss specimen.exe"
- "floss specimen.exe > strings-output.txt"
- "floss --no-static -- specimen.exe"
for610_sections: [5]
tags: [strings, deobfuscation, automated]
- id: xorsearch
name: "XORSearch"
aliases: []
description: "Search for XOR/ROL/ROT/SHIFT-encoded patterns including shellcode signatures"
category: string-deobfuscation
platform: linux
in_remnux: true
author: "Didier Stevens"
labs: ["3.5", "5.2"]
typical_usage:
- "XORSearch -W -d 3 file.bin"
- "XORSearch -i -s specimen.exe http:"
for610_sections: [3, 5]
tags: [xor, shellcode-detection, pattern-search, didier-stevens]
- id: brxor-py
name: "brxor.py"
aliases: []
description: "Brute-force XOR key detection for single-byte XOR-encoded strings"
category: string-deobfuscation
platform: linux
in_remnux: true
labs: ["5.2"]
typical_usage:
- "brxor.py specimen.dll"
for610_sections: [5]
tags: [xor, brute-force, deobfuscation]
- id: bbcrack
name: "bbcrack"
aliases: []
description: "Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms"
category: string-deobfuscation
platform: linux
in_remnux: true
labs: ["5.2"]
typical_usage:
- "bbcrack -l 1 specimen.dll"
for610_sections: [5]
tags: [xor, rol, add, deobfuscation, balbuzard]
- id: strdeob-pl
name: "strdeob.pl"
aliases: []
description: "Automatically decode stack-built strings from disassembled malware"
category: string-deobfuscation
platform: linux
in_remnux: true
labs: ["5.2"]
typical_usage:
- "strdeob.pl specimen.exe"
for610_sections: [5]
tags: [stack-strings, deobfuscation]
- id: cyberchef
name: "CyberChef"
aliases: []
description: "Web-based data transformation tool — decode Base64, XOR, hex, decompress, and chain operations"
category: string-deobfuscation
platform: both
in_remnux: true
labs: ["1.5", "3.8", "3.12"]
typical_usage:
- "cyberchef"
for610_sections: [1, 3]
tags: [decoding, encoding, transformation, web-based]
# ============================================================
# YARA & CAPABILITY DETECTION
# ============================================================
- id: capa
name: "capa"
aliases: []
description: "Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog"
category: yara-detection
platform: both
in_remnux: true
labs: ["1.4", "5.4"]
typical_usage:
- "capa specimen.exe"
- "capa -vv specimen.exe"
- "capa -vv specimen.exe | grep -A7 'Suspended Process'"
for610_sections: [1, 5]
tags: [capabilities, mitre-attack, automated-analysis]
- id: yara
name: "yara"
aliases: ["yara-rules"]
description: "Pattern matching tool for identifying and classifying malware using custom rules"
category: yara-detection
platform: both
in_remnux: true
labs: ["3.4"]
typical_usage:
- "yara-rules specimen.bin"
- "yara rule.yar specimen.exe"
for610_sections: [3]
tags: [pattern-matching, classification, rules]
- id: 1768-py
name: "1768.py"
aliases: []
description: "Parse Cobalt Strike beacon configuration from shellcode or memory dumps"
category: yara-detection
platform: linux
in_remnux: true
author: "Didier Stevens"
labs: ["3.4"]
typical_usage:
- "1768.py shellcode.bin"
for610_sections: [3]
tags: [cobalt-strike, beacon, c2-config, didier-stevens]
# ============================================================
# ANTI-ANALYSIS BYPASS
# ============================================================
- id: scyllahide
name: "ScyllaHide"
aliases: []
description: "x64dbg/x32dbg plugin to hide debugger presence from anti-debugging checks"
category: anti-analysis
platform: windows
in_remnux: false
labs: ["5.3", "5.6"]
typical_usage:
- "Plugins > ScyllaHide > Options > Enable all"
for610_sections: [5]
tags: [anti-debugging, debugger-hiding, x64dbg-plugin]
- id: xanalyzer
name: "xAnalyzer"
aliases: []
description: "x32dbg plugin providing extended analysis — API parameter names and types in disassembly"
category: anti-analysis
platform: windows
in_remnux: false
labs: ["5.10"]
typical_usage:
- "Plugins > xAnalyzer"
for610_sections: [5]
tags: [x32dbg-plugin, analysis-enhancement]
# ============================================================
# ONLINE ANALYSIS PLATFORMS
# ============================================================
- id: virustotal
name: "VirusTotal"
aliases: ["VT"]
description: "Multi-engine antivirus scanning, behavioral analysis, and threat intelligence"
category: online-platforms
platform: online
in_remnux: false
labs: []
typical_usage:
- "https://virustotal.com"
for610_sections: [1]
tags: [scanning, multi-engine, threat-intel]
- id: hybrid-analysis
name: "Hybrid Analysis"
aliases: []
description: "CrowdStrike automated sandbox for malware detonation and behavioral reporting"
category: online-platforms
platform: online
in_remnux: false
labs: []
typical_usage:
- "https://hybrid-analysis.com"
for610_sections: [1]
tags: [sandbox, behavioral, crowdstrike]
- id: any-run
name: "Any.run"
aliases: []
description: "Interactive online malware analysis sandbox with real-time process monitoring"
category: online-platforms
platform: online
in_remnux: false
labs: []
typical_usage:
- "https://any.run"
for610_sections: [1]
tags: [sandbox, interactive, real-time]
- id: cape-sandbox
name: "CAPE Sandbox"
aliases: ["CAPE"]
description: "Automated malware analysis sandbox with payload extraction and config dumping"
category: online-platforms
platform: online
in_remnux: false
labs: []
typical_usage:
- "https://capesandbox.com"
for610_sections: [1]
tags: [sandbox, automated, payload-extraction]
- id: malwarebazaar
name: "MalwareBazaar"
aliases: []
description: "Malware sample sharing platform by abuse.ch"
category: online-platforms
platform: online
in_remnux: false
labs: []
typical_usage:
- "https://bazaar.abuse.ch"
for610_sections: [1]
tags: [sample-sharing, repository]
- id: intezer-analyze
name: "Intezer Analyze"
aliases: []
description: "Automated code analysis platform for malware classification using code reuse detection"
category: online-platforms
platform: online
in_remnux: false
labs: []
typical_usage:
- "https://analyze.intezer.com"
for610_sections: [1]
tags: [code-reuse, classification, automated]
- id: filescan-io
name: "FileScan.IO"
aliases: []
description: "Online malware analysis sandbox with multi-format support"
category: online-platforms
platform: online
in_remnux: false
labs: []
typical_usage:
- "https://filescan.io"
for610_sections: [1]
tags: [sandbox, online]
- id: urlscan-io
name: "urlscan.io"
aliases: []
description: "Website and URL investigation service — screenshots, DOM analysis, network requests"
category: online-platforms
platform: online
in_remnux: false
labs: []
typical_usage:
- "https://urlscan.io"
for610_sections: [1]
tags: [url-analysis, website-investigation]
- id: shodan
name: "Shodan"
aliases: []
description: "Search engine for internet-connected devices and exposed services"
category: online-platforms
platform: online
in_remnux: false
labs: []
typical_usage:
- "https://shodan.io"
for610_sections: [1]
tags: [infrastructure, reconnaissance]
- id: otx
name: "Open Threat Exchange"
aliases: ["OTX", "LevelBlue Labs"]
description: "Threat intelligence sharing platform for indicators of compromise"
category: online-platforms
platform: online
in_remnux: false
labs: []
typical_usage:
- "https://otx.alienvault.com"
for610_sections: [1]
tags: [threat-intel, ioc-sharing]
- id: threatfox
name: "ThreatFox"
aliases: []
description: "Threat intelligence platform for sharing IOCs associated with malware"
category: online-platforms
platform: online
in_remnux: false
labs: []
typical_usage:
- "https://threatfox.abuse.ch"
for610_sections: [1]
tags: [threat-intel, ioc-sharing, abuse-ch]
- id: securitytrails
name: "SecurityTrails"
aliases: []
description: "Historical DNS records and IP/domain intelligence"
category: online-platforms
platform: online
in_remnux: false
labs: []
typical_usage:
- "https://securitytrails.com"
for610_sections: [1]
tags: [dns-history, domain-intel]
- id: unpacme
name: "UnpacMe"
aliases: []
description: "Automated online malware unpacking service"
category: online-platforms
platform: online
in_remnux: false
labs: []
typical_usage:
- "https://www.unpac.me"
for610_sections: [4]
tags: [unpacking, automated, online]
# ============================================================
# VIRTUALIZATION
# ============================================================
- id: vmware-workstation
name: "VMware Workstation Pro"
aliases: ["VMware"]
description: "Desktop hypervisor for running isolated analysis VMs with snapshots and host-only networking"
category: virtualization
platform: both
in_remnux: false
labs: []
typical_usage:
- "vmware"
for610_sections: [1]
tags: [hypervisor, vm, isolation]
- id: vmware-fusion
name: "VMware Fusion"
aliases: []
description: "macOS hypervisor for running analysis virtual machines"
category: virtualization
platform: both
in_remnux: false
labs: []
typical_usage:
- "VMware Fusion.app"
for610_sections: [1]
tags: [hypervisor, macos]
- id: virtualbox
name: "VirtualBox"
aliases: []
description: "Open-source hypervisor for running analysis virtual machines"
category: virtualization
platform: both
in_remnux: false
labs: []
typical_usage:
- "VirtualBox"
for610_sections: [1]
tags: [hypervisor, open-source]
# ============================================================
# UTILITIES
# ============================================================
- id: visual-studio-code
name: "Visual Studio Code"
aliases: ["code", "VS Code"]
description: "Code editor used for viewing decompiled output, scripts, and analysis results"
category: utilities
platform: both
in_remnux: true
labs: ["1.3", "1.4", "1.5", "3.3", "3.6", "3.7", "4.5", "4.8", "5.2", "5.3"]
typical_usage:
- "code filename.js"
for610_sections: [1, 3, 4, 5]
tags: [editor, code-viewer]
- id: notepadpp
name: "Notepad++"
aliases: []
description: "Advanced Windows text editor with syntax highlighting for script analysis"
category: utilities
platform: windows
in_remnux: false
labs: ["3.6", "3.8", "3.9", "3.10", "3.11", "3.12", "4.5"]
typical_usage:
- "notepad++ script.ps1"
for610_sections: [3, 4]
tags: [editor, windows]
- id: jq
name: "jq"
aliases: []
description: "Command-line JSON processor for extracting and transforming structured data"
category: utilities
platform: linux
in_remnux: true
labs: ["1.4"]
typical_usage:
- "cat report.json | jq '.apis'"
- "jq -r '.entry' report.json"
for610_sections: [1]
tags: [json, data-processing]
- id: feh
name: "feh"
aliases: []
description: "Lightweight image viewer for viewing extracted images from documents"
category: utilities
platform: linux
in_remnux: true
labs: ["3.1"]
typical_usage:
- "feh extracted_image.jpg"
for610_sections: [3]
tags: [image-viewer]
- id: winscp
name: "WinSCP"
aliases: []
description: "Windows SCP/SFTP client for transferring files between Windows and Linux VMs"
category: utilities
platform: windows
in_remnux: false
labs: ["4.5"]
typical_usage:
- "WinSCP.exe"
for610_sections: [4]
tags: [file-transfer, scp]
- id: wine
name: "Wine"
aliases: []
description: "Windows compatibility layer — run Windows executables on Linux"
category: utilities
platform: linux
in_remnux: true
labs: ["3.5"]
typical_usage:
- "wine program.exe"
for610_sections: [3]
tags: [windows-compat, execution]
- id: unzip
name: "unzip"
aliases: []
description: "Extract ZIP archives containing malware samples"
category: utilities
platform: linux
in_remnux: true
labs: ["1.1", "3.1", "3.3", "3.4", "3.5", "3.6", "3.7", "4.1", "4.8", "5.2", "5.3", "5.4"]
typical_usage:
- "unzip -P infected sample.zip"
for610_sections: [1, 3, 4, 5]
tags: [archive, extraction]
- id: gunzip
name: "gunzip"
aliases: []
description: "Decompress gzip-compressed data (often used in multi-stage payload extraction)"
category: utilities
platform: linux
in_remnux: true
labs: ["3.4"]
typical_usage:
- "gunzip -c compressed.gz > output.bin"
for610_sections: [3]
tags: [compression, extraction]
- id: rar
name: "rar"
aliases: ["unrar"]
description: "Extract RAR archives (including self-extracting RAR payloads)"
category: utilities
platform: both
in_remnux: true
labs: ["3.5"]
typical_usage:
- "rar x archive.rar"
for610_sections: [3]
tags: [archive, extraction]
- id: hexdump
name: "hexdump"
aliases: []
description: "Display file content in hexadecimal format"
category: utilities
platform: linux
in_remnux: true
labs: []
typical_usage:
- "hexdump -C binary.dat"
for610_sections: [1]
tags: [hex, binary-viewing]
- id: xxd
name: "xxd"
aliases: []
description: "Create hex dump of a file or reverse a hex dump back to binary"
category: utilities
platform: linux
in_remnux: true
labs: []
typical_usage:
- "xxd binary.exe"
- "xxd -r hexdump.txt > binary.exe"
for610_sections: [1]
tags: [hex, binary-conversion]
- id: binwalk
name: "binwalk"
aliases: []
description: "Analyze and extract embedded files and firmware images"
category: utilities
platform: linux
in_remnux: true
labs: []
typical_usage:
- "binwalk firmware.bin"
- "binwalk -e firmware.bin"
for610_sections: [1]
tags: [firmware, extraction, embedded-files]
- id: wget
name: "wget"
aliases: []
description: "Download files from HTTP/HTTPS/FTP servers"
category: utilities
platform: linux
in_remnux: true
labs: []
typical_usage:
- "wget http://example.com/file.bin"
for610_sections: [1]
tags: [download, http]
- id: curl
name: "curl"
aliases: []
description: "Transfer data to/from servers using various protocols"
category: utilities
platform: linux
in_remnux: true
labs: []
typical_usage:
- "curl -L http://example.com"
- "curl -o output.bin http://example.com/file"
for610_sections: [1]
tags: [download, http, transfer]
- id: reg-export
name: "reg_export"
aliases: []
description: "Extract registry key values to files — used to recover malware artifacts stored in registry"
category: utilities
platform: windows
in_remnux: false
author: "Adam Kramer"
labs: ["4.5"]
typical_usage:
- "reg_export HKCU\\software\\keyname valuename output.js"
for610_sections: [4]
tags: [registry, extraction, windows]
- id: regedit
name: "Regedit"
aliases: []
description: "Windows Registry Editor for browsing and modifying registry keys"
category: utilities
platform: windows
in_remnux: false
labs: ["4.5"]
typical_usage:
- "regedit.exe"
for610_sections: [4]
tags: [registry, windows]
Reference in New Issue View Git Blame Copy Permalink