irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
master
docker_file_analysis/remnux-tldr-cheatsheet.md
Tobias Kessels b98aaee3e0 Major repository cleanup and enhancement 
- Reorganize documentation: moved old docs to docs/ directory
- Add comprehensive README.md with build options and usage guide
- Add detailed CONTRIBUTING.md with help content management guide
- Create Makefile for automated building and testing
- Add Dockerfile.scratch for building from Ubuntu 20.04 base
- Enhance all Dockerfiles with PowerShell + PSScriptAnalyzer
- Add modern shells: zsh (with plugins) and fish (with config)
- Add modern CLI tools: fd-find, ripgrep, fzf
- Create comprehensive help system with cheat/TLDR/fish completions
- Add helper scripts for help content management and coverage checking
- Fix Dockerfile.remnux script references
- Support three build variants: upstream (REMnux), scratch (Ubuntu), kali

Build options:
  - make build-upstream: Fast, uses REMnux upstream (recommended)
  - make build-scratch: Full control, builds from Ubuntu 20.04
  - make build-kali: Legacy Kali Linux base

Features:
  - PowerShell with PSScriptAnalyzer module
  - Modern shells (zsh, fish) with custom configurations
  - Enhanced help system (cheat sheets, TLDR pages, fish completions)
  - Help coverage checking and bulk import tools
  - Comprehensive documentation for users and contributors
2025-10-01 11:45:56 +02:00

404 lines
11 KiB
Markdown
Raw Permalink Blame History

# REMnux Docker Container - TLDR Tools Cheat Sheet
## Quick Start
```bash
# Run REMnux container
docker run --rm -it -u remnux -v ~/samples:/home/remnux/files remnux/remnux-distro:focal bash
# Default credentials: remnux/malware
```
---
## 📁 GENERAL FILE ANALYSIS
### 🔧 FILE
**Purpose**: Identify file type using magic numbers
**Syntax**: `file [filename]`
**Example**: `file malware.exe`
**Output**: Shows file type and basic properties
### 🔧 EXIFTOOL
**Purpose**: Extract metadata from files
**Syntax**: `exiftool [options] [filename]`
**Example**: `exiftool -a malware.exe`
**Output**: Displays all metadata tags
### 🔧 TRID
**Purpose**: Identify file types using signatures
**Syntax**: `trid [filename]`
**Example**: `trid unknown_file.bin`
**Output**: Shows percentage probability of file types
### 🔧 DIE (Detect-It-Easy)
**Purpose**: Detect file types and examine properties
**Syntax**: `die [filename]` or `diec [filename]`
**Example**: `die malware.exe`
**Output**: Comprehensive file analysis
### 🔧 YARA
**Purpose**: Pattern matching for malware identification
**Syntax**: `yara [rulefile] [target]`
**Example**: `yara rules.yar malware.exe`
**Output**: Shows matching rules
### 🔧 SSDEEP
**Purpose**: Compute fuzzy hashes for similarity detection
**Syntax**: `ssdeep [options] [files]`
**Example**: `ssdeep -b malware1.exe malware2.exe`
**Output**: Fuzzy hash comparison results
### 🔧 CLAMSCAN
**Purpose**: Scan files for malware signatures
**Syntax**: `clamscan [options] [file/directory]`
**Example**: `clamscan --verbose malware.exe`
**Output**: Virus detection results
### 🔧 BINWALK
**Purpose**: Extract and analyze firmware images
**Syntax**: `binwalk [options] [filename]`
**Example**: `binwalk -e firmware.bin`
**Output**: Extracted files and entropy analysis
### 🔧 BULK_EXTRACTOR
**Purpose**: Extract strings and artifacts from files
**Syntax**: `bulk_extractor [options] -o [output_dir] [input]`
**Example**: `bulk_extractor -o output_dir malware.exe`
**Output**: Directory with extracted artifacts
### 🔧 SIGNSRCH
**Purpose**: Find crypto/compression algorithm signatures
**Syntax**: `signsrch [filename]`
**Example**: `signsrch malware.exe`
**Output**: List of detected algorithms
---
## 📁 PE FILE ANALYSIS
### 🔧 PEFRAME
**Purpose**: Comprehensive PE static analyzer
**Syntax**: `peframe [options] [pe_file]`
**Example**: `peframe -j malware.exe`
**Output**: JSON format analysis report
### 🔧 PEFILE
**Purpose**: Python PE file analysis library
**Syntax**: `python3 -c "import pefile; pe=pefile.PE('file.exe'); print(pe.dump_info())"`
**Example**: `pefile-dump malware.exe`
**Output**: Detailed PE structure information
### 🔧 PESCAN
**Purpose**: Scan PE files for suspicious indicators
**Syntax**: `pescan [pe_file]`
**Example**: `pescan malware.exe`
**Output**: Suspicious characteristics report
### 🔧 MANALYZE
**Purpose**: Advanced PE analyzer with plugins
**Syntax**: `manalyze [options] [pe_file]`
**Example**: `manalyze --plugins=all malware.exe`
**Output**: Comprehensive analysis with threat score
---
## 📁 STRING ANALYSIS & DEOBFUSCATION
### 🔧 STRINGS
**Purpose**: Extract printable strings from files
**Syntax**: `strings [options] [filename]`
**Example**: `strings -n 6 malware.exe | head -20`
**Output**: List of printable strings
### 🔧 FLOSS
**Purpose**: FLARE Obfuscated String Solver
**Syntax**: `floss [options] [filename]`
**Example**: `floss --no-static-strings malware.exe`
**Output**: Deobfuscated strings
### 🔧 BASE64DUMP
**Purpose**: Extract and decode Base64 strings
**Syntax**: `base64dump.py [options] [filename]`
**Example**: `base64dump.py -s malware.txt`
**Output**: Decoded Base64 content
### 🔧 XORSEARCH
**Purpose**: Search for XOR encoded strings
**Syntax**: `xorsearch [options] [filename] [string]`
**Example**: `xorsearch -W malware.exe kernel32`
**Output**: XOR key and decoded strings
### 🔧 CYBERCHEF
**Purpose**: Web-based data transformation tool
**Setup**: Start with `cyberchef` command
**Access**: Open browser to http://localhost:8080
**Usage**: Upload file and apply transformations
**Output**: Decoded/transformed data
---
## 📁 DISASSEMBLERS & DECOMPILERS
### 🔧 GHIDRA
**Purpose**: NSA reverse engineering framework
**Syntax**: `ghidra` or `ghidraRun`
**Usage**: Import malware.exe and analyze
**Output**: Decompiled C-like code
### 🔧 RADARE2
**Purpose**: Command-line reverse engineering framework
**Syntax**: `r2 [options] [filename]`
**Example**: `r2 -A malware.exe`
**Output**: Interactive analysis session
### 🔧 CUTTER
**Purpose**: GUI for Radare2
**Syntax**: `cutter [filename]`
**Example**: `cutter malware.exe`
**Output**: Graphical disassembly interface
### 🔧 OBJDUMP
**Purpose**: GNU object file dumper
**Syntax**: `objdump [options] [filename]`
**Example**: `objdump -d -M intel malware.exe`
**Output**: Disassembled code
### 🔧 RETDEC-DECOMPILER
**Purpose**: Multi-architecture decompiler
**Syntax**: `retdec-decompiler [options] [filename]`
**Example**: `retdec-decompiler malware.exe`
**Output**: Decompiled C code
---
## 📁 DYNAMIC ANALYSIS & DEBUGGING
### 🔧 GDB
**Purpose**: GNU debugger for Linux binaries
**Syntax**: `gdb [program]` or `gdb -p [pid]`
**Example**: `gdb ./malware`
**Output**: Interactive debugging session
### 🔧 STRACE
**Purpose**: Trace system calls
**Syntax**: `strace [options] [command]`
**Example**: `strace -f -e trace=file ./malware`
**Output**: System call trace
### 🔧 LTRACE
**Purpose**: Trace library calls
**Syntax**: `ltrace [options] [command]`
**Example**: `ltrace ./malware`
**Output**: Library function call trace
### 🔧 FRIDA
**Purpose**: Dynamic instrumentation toolkit
**Syntax**: `frida [options] [target]`
**Example**: `frida -l script.js malware`
**Output**: Runtime manipulation results
---
## 📁 MEMORY FORENSICS
### 🔧 VOLATILITY (v2)
**Purpose**: Memory forensics framework
**Syntax**: `vol.py -f [memory_dump] --profile=[profile] [plugin]`
**Example**: `vol.py -f memory.dump --profile=Win7SP1x64 pslist`
**Output**: Process list from memory
### 🔧 VOLATILITY3 (v3)
**Purpose**: Next-gen memory forensics
**Syntax**: `vol3 -f [memory_dump] [plugin]`
**Example**: `vol3 -f memory.dump windows.pslist`
**Output**: Enhanced process information
### 🔧 REKALL
**Purpose**: Memory forensics and live analysis
**Syntax**: `rekall -f [memory_dump]`
**Example**: `rekall -f memory.dump`
**Output**: Interactive memory analysis
---
## 📁 DOCUMENT ANALYSIS
### 🔧 OLEVBA
**Purpose**: Extract VBA macros from Office documents
**Syntax**: `olevba [options] [document]`
**Example**: `olevba --decode malicious.docm`
**Output**: Extracted and decoded macros
### 🔧 OLEDUMP
**Purpose**: Analyze OLE files and extract objects
**Syntax**: `oledump.py [options] [olefile]`
**Example**: `oledump.py -s 3 -d document.docm`
**Output**: Dumped OLE stream content
### 🔧 PDFID
**Purpose**: Analyze PDF structure for suspicious elements
**Syntax**: `pdfid.py [options] [pdf_file]`
**Example**: `pdfid.py suspicious.pdf`
**Output**: PDF object statistics
### 🔧 PEEPDF
**Purpose**: Interactive PDF analysis tool
**Syntax**: `peepdf [options] [pdf_file]`
**Example**: `peepdf -i malicious.pdf`
**Output**: Interactive PDF exploration
### 🔧 RTFDUMP
**Purpose**: Analyze RTF documents
**Syntax**: `rtfdump.py [options] [rtf_file]`
**Example**: `rtfdump.py document.rtf`
**Output**: RTF structure analysis
---
## 📁 NETWORK ANALYSIS
### 🔧 WIRESHARK
**Purpose**: Network protocol analyzer GUI
**Syntax**: `wireshark [options] [capture_file]`
**Example**: `wireshark capture.pcap`
**Output**: Graphical packet analysis
### 🔧 TSHARK
**Purpose**: Command-line Wireshark
**Syntax**: `tshark [options]`
**Example**: `tshark -r capture.pcap -Y http`
**Output**: Filtered packet information
### 🔧 TCPDUMP
**Purpose**: Capture network packets
**Syntax**: `tcpdump [options] [expression]`
**Example**: `tcpdump -i eth0 -w capture.pcap`
**Output**: Captured network packets
### 🔧 NGREP
**Purpose**: Network grep for packet payloads
**Syntax**: `ngrep [options] [pattern] [expression]`
**Example**: `ngrep -i 'GET|POST' port 80`
**Output**: Matching packet content
---
## 📁 JAVASCRIPT ANALYSIS
### 🔧 BOX-JS
**Purpose**: JavaScript sandbox for analysis
**Syntax**: `box-js [javascript_file]`
**Example**: `box-js malicious.js`
**Output**: Execution trace and IOCs
### 🔧 JS-FILE
**Purpose**: JavaScript file analyzer
**Syntax**: `js-file [javascript_file]`
**Example**: `js-file obfuscated.js`
**Output**: JavaScript analysis report
---
## 📁 ARCHIVE & PACKING
### 🔧 UPX
**Purpose**: Ultimate Packer for eXecutables
**Syntax**: `upx [options] [files]`
**Example**: `upx -d packed.exe` (unpack)
**Output**: Unpacked executable
### 🔧 7Z
**Purpose**: 7-Zip archiver
**Syntax**: `7z [command] [archive] [files]`
**Example**: `7z x archive.7z`
**Output**: Extracted files
### 🔧 UNZIP
**Purpose**: Extract ZIP archives
**Syntax**: `unzip [options] [zipfile]`
**Example**: `unzip -l archive.zip`
**Output**: Archive contents list
---
## 📁 UTILITIES
### 🔧 HEXDUMP
**Purpose**: Display file contents in hexadecimal
**Syntax**: `hexdump [options] [file]`
**Example**: `hexdump -C malware.exe | head`
**Output**: Hex and ASCII representation
### 🔧 XXD
**Purpose**: Hex dump and reverse tool
**Syntax**: `xxd [options] [file]`
**Example**: `xxd malware.exe | head -10`
**Output**: Formatted hex dump
### 🔧 CUT
**Purpose**: Extract columns from text
**Syntax**: `cut [options] [file]`
**Example**: `strings malware.exe | cut -c1-50`
**Output**: Truncated string output
---
## 🚀 Quick Analysis Workflow
```bash
# 1. Basic file identification
file malware.exe
trid malware.exe
exiftool malware.exe
# 2. Hash and scan
md5sum malware.exe
ssdeep malware.exe
clamscan malware.exe
# 3. PE analysis (if Windows executable)
peframe malware.exe
manalyze malware.exe
# 4. String analysis
strings malware.exe | head -50
floss malware.exe
# 5. Pattern matching
yara rules.yar malware.exe
# 6. Static disassembly
r2 -A malware.exe
# or
ghidra malware.exe
# 7. Dynamic analysis (Linux binaries only in container)
strace ./linux_malware
ltrace ./linux_malware
```
---
## 📋 Common Command Combinations
```bash
# Extract and analyze strings
strings malware.exe | grep -i "http\|ftp\|\.exe\|\.dll" | head -20
# Search for Base64 encoded content
base64dump.py malware.exe | head -10
# Look for XOR patterns
xorsearch -W malware.exe http
# Bulk artifact extraction
bulk_extractor -o artifacts malware.exe
# Memory dump analysis
vol.py -f memory.dump --profile=Win7SP1x64 pslist
vol.py -f memory.dump --profile=Win7SP1x64 netscan
```
**Total Tools Covered**: 48 essential REMnux tools
**Container**: `remnux/remnux-distro:focal`
**Total Available Tools**: 300+ tools across all categories
Reference in New Issue View Git Blame Copy Permalink