irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
master
docker_file_analysis/remnux-tldr-cheatsheet.md
Tobias Kessels b98aaee3e0 Major repository cleanup and enhancement 
- Reorganize documentation: moved old docs to docs/ directory
- Add comprehensive README.md with build options and usage guide
- Add detailed CONTRIBUTING.md with help content management guide
- Create Makefile for automated building and testing
- Add Dockerfile.scratch for building from Ubuntu 20.04 base
- Enhance all Dockerfiles with PowerShell + PSScriptAnalyzer
- Add modern shells: zsh (with plugins) and fish (with config)
- Add modern CLI tools: fd-find, ripgrep, fzf
- Create comprehensive help system with cheat/TLDR/fish completions
- Add helper scripts for help content management and coverage checking
- Fix Dockerfile.remnux script references
- Support three build variants: upstream (REMnux), scratch (Ubuntu), kali

Build options:
  - make build-upstream: Fast, uses REMnux upstream (recommended)
  - make build-scratch: Full control, builds from Ubuntu 20.04
  - make build-kali: Legacy Kali Linux base

Features:
  - PowerShell with PSScriptAnalyzer module
  - Modern shells (zsh, fish) with custom configurations
  - Enhanced help system (cheat sheets, TLDR pages, fish completions)
  - Help coverage checking and bulk import tools
  - Comprehensive documentation for users and contributors
2025-10-01 11:45:56 +02:00

11 KiB
Raw Permalink Blame History

REMnux Docker Container - TLDR Tools Cheat Sheet

Quick Start

# Run REMnux container
docker run --rm -it -u remnux -v ~/samples:/home/remnux/files remnux/remnux-distro:focal bash

# Default credentials: remnux/malware

📁 GENERAL FILE ANALYSIS

🔧 FILE

Purpose: Identify file type using magic numbers
Syntax: file [filename]
Example: file malware.exe
Output: Shows file type and basic properties

🔧 EXIFTOOL

Purpose: Extract metadata from files
Syntax: exiftool [options] [filename]
Example: exiftool -a malware.exe
Output: Displays all metadata tags

🔧 TRID

Purpose: Identify file types using signatures
Syntax: trid [filename]
Example: trid unknown_file.bin
Output: Shows percentage probability of file types

🔧 DIE (Detect-It-Easy)

Purpose: Detect file types and examine properties
Syntax: die [filename] or diec [filename]
Example: die malware.exe
Output: Comprehensive file analysis

🔧 YARA

Purpose: Pattern matching for malware identification
Syntax: yara [rulefile] [target]
Example: yara rules.yar malware.exe
Output: Shows matching rules

🔧 SSDEEP

Purpose: Compute fuzzy hashes for similarity detection
Syntax: ssdeep [options] [files]
Example: ssdeep -b malware1.exe malware2.exe
Output: Fuzzy hash comparison results

🔧 CLAMSCAN

Purpose: Scan files for malware signatures
Syntax: clamscan [options] [file/directory]
Example: clamscan --verbose malware.exe
Output: Virus detection results

🔧 BINWALK

Purpose: Extract and analyze firmware images
Syntax: binwalk [options] [filename]
Example: binwalk -e firmware.bin
Output: Extracted files and entropy analysis

🔧 BULK_EXTRACTOR

Purpose: Extract strings and artifacts from files
Syntax: bulk_extractor [options] -o [output_dir] [input]
Example: bulk_extractor -o output_dir malware.exe
Output: Directory with extracted artifacts

🔧 SIGNSRCH

Purpose: Find crypto/compression algorithm signatures
Syntax: signsrch [filename]
Example: signsrch malware.exe
Output: List of detected algorithms

📁 PE FILE ANALYSIS

🔧 PEFRAME

Purpose: Comprehensive PE static analyzer
Syntax: peframe [options] [pe_file]
Example: peframe -j malware.exe
Output: JSON format analysis report

🔧 PEFILE

Purpose: Python PE file analysis library
Syntax: python3 -c "import pefile; pe=pefile.PE('file.exe'); print(pe.dump_info())"
Example: pefile-dump malware.exe
Output: Detailed PE structure information

🔧 PESCAN

Purpose: Scan PE files for suspicious indicators
Syntax: pescan [pe_file]
Example: pescan malware.exe
Output: Suspicious characteristics report

🔧 MANALYZE

Purpose: Advanced PE analyzer with plugins
Syntax: manalyze [options] [pe_file]
Example: manalyze --plugins=all malware.exe
Output: Comprehensive analysis with threat score

📁 STRING ANALYSIS & DEOBFUSCATION

🔧 STRINGS

Purpose: Extract printable strings from files
Syntax: strings [options] [filename]
Example: strings -n 6 malware.exe | head -20
Output: List of printable strings

🔧 FLOSS

Purpose: FLARE Obfuscated String Solver
Syntax: floss [options] [filename]
Example: floss --no-static-strings malware.exe
Output: Deobfuscated strings

🔧 BASE64DUMP

Purpose: Extract and decode Base64 strings
Syntax: base64dump.py [options] [filename]
Example: base64dump.py -s malware.txt
Output: Decoded Base64 content

🔧 XORSEARCH

Purpose: Search for XOR encoded strings
Syntax: xorsearch [options] [filename] [string]
Example: xorsearch -W malware.exe kernel32
Output: XOR key and decoded strings

🔧 CYBERCHEF

Purpose: Web-based data transformation tool
Setup: Start with cyberchef command
Access: Open browser to http://localhost:8080
Usage: Upload file and apply transformations
Output: Decoded/transformed data

📁 DISASSEMBLERS & DECOMPILERS

🔧 GHIDRA

Purpose: NSA reverse engineering framework
Syntax: ghidra or ghidraRun
Usage: Import malware.exe and analyze
Output: Decompiled C-like code

🔧 RADARE2

Purpose: Command-line reverse engineering framework
Syntax: r2 [options] [filename]
Example: r2 -A malware.exe
Output: Interactive analysis session

🔧 CUTTER

Purpose: GUI for Radare2
Syntax: cutter [filename]
Example: cutter malware.exe
Output: Graphical disassembly interface

🔧 OBJDUMP

Purpose: GNU object file dumper
Syntax: objdump [options] [filename]
Example: objdump -d -M intel malware.exe
Output: Disassembled code

🔧 RETDEC-DECOMPILER

Purpose: Multi-architecture decompiler
Syntax: retdec-decompiler [options] [filename]
Example: retdec-decompiler malware.exe
Output: Decompiled C code

📁 DYNAMIC ANALYSIS & DEBUGGING

🔧 GDB

Purpose: GNU debugger for Linux binaries
Syntax: gdb [program] or gdb -p [pid]
Example: gdb ./malware
Output: Interactive debugging session

🔧 STRACE

Purpose: Trace system calls
Syntax: strace [options] [command]
Example: strace -f -e trace=file ./malware
Output: System call trace

🔧 LTRACE

Purpose: Trace library calls
Syntax: ltrace [options] [command]
Example: ltrace ./malware
Output: Library function call trace

🔧 FRIDA

Purpose: Dynamic instrumentation toolkit
Syntax: frida [options] [target]
Example: frida -l script.js malware
Output: Runtime manipulation results

📁 MEMORY FORENSICS

🔧 VOLATILITY (v2)

Purpose: Memory forensics framework
Syntax: vol.py -f [memory_dump] --profile=[profile] [plugin]
Example: vol.py -f memory.dump --profile=Win7SP1x64 pslist
Output: Process list from memory

🔧 VOLATILITY3 (v3)

Purpose: Next-gen memory forensics
Syntax: vol3 -f [memory_dump] [plugin]
Example: vol3 -f memory.dump windows.pslist
Output: Enhanced process information

🔧 REKALL

Purpose: Memory forensics and live analysis
Syntax: rekall -f [memory_dump]
Example: rekall -f memory.dump
Output: Interactive memory analysis

📁 DOCUMENT ANALYSIS

🔧 OLEVBA

Purpose: Extract VBA macros from Office documents
Syntax: olevba [options] [document]
Example: olevba --decode malicious.docm
Output: Extracted and decoded macros

🔧 OLEDUMP

Purpose: Analyze OLE files and extract objects
Syntax: oledump.py [options] [olefile]
Example: oledump.py -s 3 -d document.docm
Output: Dumped OLE stream content

🔧 PDFID

Purpose: Analyze PDF structure for suspicious elements
Syntax: pdfid.py [options] [pdf_file]
Example: pdfid.py suspicious.pdf
Output: PDF object statistics

🔧 PEEPDF

Purpose: Interactive PDF analysis tool
Syntax: peepdf [options] [pdf_file]
Example: peepdf -i malicious.pdf
Output: Interactive PDF exploration

🔧 RTFDUMP

Purpose: Analyze RTF documents
Syntax: rtfdump.py [options] [rtf_file]
Example: rtfdump.py document.rtf
Output: RTF structure analysis

📁 NETWORK ANALYSIS

🔧 WIRESHARK

Purpose: Network protocol analyzer GUI
Syntax: wireshark [options] [capture_file]
Example: wireshark capture.pcap
Output: Graphical packet analysis

🔧 TSHARK

Purpose: Command-line Wireshark
Syntax: tshark [options]
Example: tshark -r capture.pcap -Y http
Output: Filtered packet information

🔧 TCPDUMP

Purpose: Capture network packets
Syntax: tcpdump [options] [expression]
Example: tcpdump -i eth0 -w capture.pcap
Output: Captured network packets

🔧 NGREP

Purpose: Network grep for packet payloads
Syntax: ngrep [options] [pattern] [expression]
Example: ngrep -i 'GET|POST' port 80
Output: Matching packet content

📁 JAVASCRIPT ANALYSIS

🔧 BOX-JS

Purpose: JavaScript sandbox for analysis
Syntax: box-js [javascript_file]
Example: box-js malicious.js
Output: Execution trace and IOCs

🔧 JS-FILE

Purpose: JavaScript file analyzer
Syntax: js-file [javascript_file]
Example: js-file obfuscated.js
Output: JavaScript analysis report

📁 ARCHIVE & PACKING

🔧 UPX

Purpose: Ultimate Packer for eXecutables
Syntax: upx [options] [files]
Example: upx -d packed.exe (unpack)
Output: Unpacked executable

🔧 7Z

Purpose: 7-Zip archiver
Syntax: 7z [command] [archive] [files]
Example: 7z x archive.7z
Output: Extracted files

🔧 UNZIP

Purpose: Extract ZIP archives
Syntax: unzip [options] [zipfile]
Example: unzip -l archive.zip
Output: Archive contents list

📁 UTILITIES

🔧 HEXDUMP

Purpose: Display file contents in hexadecimal
Syntax: hexdump [options] [file]
Example: hexdump -C malware.exe | head
Output: Hex and ASCII representation

🔧 XXD

Purpose: Hex dump and reverse tool
Syntax: xxd [options] [file]
Example: xxd malware.exe | head -10
Output: Formatted hex dump

🔧 CUT

Purpose: Extract columns from text
Syntax: cut [options] [file]
Example: strings malware.exe | cut -c1-50
Output: Truncated string output

🚀 Quick Analysis Workflow

# 1. Basic file identification
file malware.exe
trid malware.exe
exiftool malware.exe

# 2. Hash and scan
md5sum malware.exe
ssdeep malware.exe
clamscan malware.exe

# 3. PE analysis (if Windows executable)
peframe malware.exe
manalyze malware.exe

# 4. String analysis
strings malware.exe | head -50
floss malware.exe

# 5. Pattern matching
yara rules.yar malware.exe

# 6. Static disassembly
r2 -A malware.exe
# or
ghidra malware.exe

# 7. Dynamic analysis (Linux binaries only in container)
strace ./linux_malware
ltrace ./linux_malware

📋 Common Command Combinations

# Extract and analyze strings
strings malware.exe | grep -i "http\|ftp\|\.exe\|\.dll" | head -20

# Search for Base64 encoded content
base64dump.py malware.exe | head -10

# Look for XOR patterns
xorsearch -W malware.exe http

# Bulk artifact extraction
bulk_extractor -o artifacts malware.exe

# Memory dump analysis
vol.py -f memory.dump --profile=Win7SP1x64 pslist
vol.py -f memory.dump --profile=Win7SP1x64 netscan

Total Tools Covered: 48 essential REMnux tools
Container: remnux/remnux-distro:focal
Total Available Tools: 300+ tools across all categories

Reference in New Issue View Git Blame Copy Permalink