docker_file_analysis/data/generated/tools.json

{
  "tools": [
    {
      "id": "pdfid-py",
      "name": "pdfid.py",
      "aliases": [
        "pdfid"
      ],
      "description": "Scan PDF files for suspicious keywords like /JavaScript, /OpenAction, /Launch without parsing",
      "category": "pdf-analysis",
      "platform": "linux",
      "in_remnux": true,
      "author": "Didier Stevens",
      "labs": [
        "3.1"
      ],
      "typical_usage": [
        "pdfid.py document.pdf",
        "pdfid.py -n document.pdf"
      ],
      "for610_sections": [
        1,
        3
      ],
      "tags": [
        "pdf",
        "static-analysis",
        "triage",
        "didier-stevens"
      ]
    },
    {
      "id": "pdf-parser-py",
      "name": "pdf-parser.py",
      "aliases": [
        "pdf-parser"
      ],
      "description": "Parse PDF structure, locate objects, extract content, and search for strings",
      "category": "pdf-analysis",
      "platform": "linux",
      "in_remnux": true,
      "author": "Didier Stevens",
      "labs": [
        "3.1"
      ],
      "typical_usage": [
        "pdf-parser.py document.pdf -a",
        "pdf-parser.py document.pdf -s /URI",
        "pdf-parser.py document.pdf -k /URI",
        "pdf-parser.py document.pdf -o 6 -d object6.jpg"
      ],
      "for610_sections": [
        1,
        3
      ],
      "tags": [
        "pdf",
        "static-analysis",
        "object-extraction",
        "didier-stevens"
      ]
    },
    {
      "id": "peepdf",
      "name": "peepdf",
      "aliases": [],
      "description": "Interactive PDF analysis framework with JavaScript detection and exploitation capabilities",
      "category": "pdf-analysis",
      "platform": "linux",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "peepdf -i malicious.pdf",
        "peepdf -f -i malicious.pdf"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "pdf",
        "interactive",
        "javascript-detection"
      ]
    },
    {
      "id": "pdftool-py",
      "name": "pdftool.py",
      "aliases": [],
      "description": "Analyze PDF incremental updates",
      "category": "pdf-analysis",
      "platform": "linux",
      "in_remnux": true,
      "author": "Didier Stevens",
      "labs": [],
      "typical_usage": [
        "pdftool.py document.pdf"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "pdf",
        "didier-stevens"
      ]
    },
    {
      "id": "pdfresurrect",
      "name": "pdfresurrect",
      "aliases": [],
      "description": "Extract and analyze previous versions from PDF files",
      "category": "pdf-analysis",
      "platform": "linux",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "pdfresurrect document.pdf"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "pdf",
        "versioning"
      ]
    },
    {
      "id": "qpdf",
      "name": "qpdf",
      "aliases": [],
      "description": "Decrypt, linearize, and transform PDF files \u2014 useful for removing password protection",
      "category": "pdf-analysis",
      "platform": "linux",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "qpdf --decrypt encrypted.pdf output.pdf"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "pdf",
        "decryption",
        "transformation"
      ]
    },
    {
      "id": "pdftk",
      "name": "pdftk",
      "aliases": [],
      "description": "Manipulate PDF files \u2014 merge, split, flatten, encrypt, and extract embedded content",
      "category": "pdf-analysis",
      "platform": "linux",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "pdftk input.pdf cat output output.pdf flatten",
        "pdftk input.pdf unpack_files"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "pdf",
        "manipulation",
        "extraction"
      ]
    },
    {
      "id": "oledump-py",
      "name": "oledump.py",
      "aliases": [
        "oledump"
      ],
      "description": "Analyze OLE2 files (Office documents), extract streams and VBA macros",
      "category": "document-analysis",
      "platform": "linux",
      "in_remnux": true,
      "author": "Didier Stevens",
      "labs": [
        "3.3",
        "3.4",
        "4.5"
      ],
      "typical_usage": [
        "oledump.py document.docm",
        "oledump.py document.docm -s A3 -v",
        "oledump.py document.docm -i"
      ],
      "for610_sections": [
        3,
        4
      ],
      "tags": [
        "office",
        "vba",
        "macro",
        "ole",
        "didier-stevens"
      ]
    },
    {
      "id": "olevba",
      "name": "olevba",
      "aliases": [],
      "description": "Extract and analyze VBA macros from Office documents with deobfuscation",
      "category": "document-analysis",
      "platform": "linux",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "olevba document.docm",
        "olevba --deobf document.docm"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "office",
        "vba",
        "macro",
        "deobfuscation"
      ]
    },
    {
      "id": "evilclippy",
      "name": "evilclippy",
      "aliases": [],
      "description": "Remove VBA project password protection and manipulate Office macro settings",
      "category": "document-analysis",
      "platform": "both",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "evilclippy -uu document.docm"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "office",
        "vba",
        "password-removal"
      ]
    },
    {
      "id": "rtfdump-py",
      "name": "rtfdump.py",
      "aliases": [
        "rtfdump"
      ],
      "description": "Analyze RTF file structure, identify hex-encoded groups and embedded objects",
      "category": "document-analysis",
      "platform": "linux",
      "in_remnux": true,
      "author": "Didier Stevens",
      "labs": [
        "3.5"
      ],
      "typical_usage": [
        "rtfdump.py document.rtf",
        "rtfdump.py document.rtf -s 5 -H -d > extracted.bin"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "rtf",
        "document",
        "didier-stevens"
      ]
    },
    {
      "id": "base64dump-py",
      "name": "base64dump.py",
      "aliases": [
        "base64dump"
      ],
      "description": "Extract and decode Base64-encoded strings from files",
      "category": "document-analysis",
      "platform": "linux",
      "in_remnux": true,
      "author": "Didier Stevens",
      "labs": [
        "3.4",
        "4.5"
      ],
      "typical_usage": [
        "base64dump.py file.txt",
        "base64dump.py file.ps1 -n 10",
        "base64dump.py file.ps1 -s 2 -d"
      ],
      "for610_sections": [
        3,
        4
      ],
      "tags": [
        "base64",
        "decoding",
        "didier-stevens"
      ]
    },
    {
      "id": "emldump-py",
      "name": "emldump.py",
      "aliases": [
        "emldump"
      ],
      "description": "Parse and analyze EML email message files",
      "category": "document-analysis",
      "platform": "linux",
      "in_remnux": true,
      "author": "Didier Stevens",
      "labs": [],
      "typical_usage": [
        "emldump.py message.eml"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "email",
        "eml",
        "didier-stevens"
      ]
    },
    {
      "id": "zipdump-py",
      "name": "zipdump.py",
      "aliases": [
        "zipdump"
      ],
      "description": "Parse and analyze ZIP archive structure",
      "category": "document-analysis",
      "platform": "linux",
      "in_remnux": true,
      "author": "Didier Stevens",
      "labs": [],
      "typical_usage": [
        "zipdump.py archive.zip"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "zip",
        "archive",
        "didier-stevens"
      ]
    },
    {
      "id": "numbers-to-string-py",
      "name": "numbers-to-string.py",
      "aliases": [],
      "description": "Convert sequences of decimal numbers to readable characters",
      "category": "document-analysis",
      "platform": "linux",
      "in_remnux": true,
      "author": "Didier Stevens",
      "labs": [
        "3.3"
      ],
      "typical_usage": [
        "oledump.py doc.docm -s A3 -v | numbers-to-string.py -j"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "decoding",
        "deobfuscation",
        "didier-stevens"
      ]
    },
    {
      "id": "translate-py",
      "name": "translate.py",
      "aliases": [],
      "description": "Transform data using Python expressions (XOR, ADD, etc.)",
      "category": "document-analysis",
      "platform": "linux",
      "in_remnux": true,
      "author": "Didier Stevens",
      "labs": [
        "3.4"
      ],
      "typical_usage": [
        "translate.py \"byte ^ 35\" < input.bin > output.bin"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "xor",
        "transformation",
        "decoding",
        "didier-stevens"
      ]
    },
    {
      "id": "pestudio",
      "name": "PeStudio",
      "aliases": [],
      "description": "GUI tool for examining static properties of PE files \u2014 imports, strings, sections, entropy, indicators",
      "category": "static-analysis-pe",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "1.1",
        "1.5",
        "2.7",
        "3.10",
        "3.12",
        "4.1",
        "4.2",
        "4.3",
        "4.7",
        "4.8",
        "5.3",
        "5.4",
        "5.8",
        "5.9",
        "5.10"
      ],
      "typical_usage": [
        "pestudio.exe specimen.exe"
      ],
      "for610_sections": [
        1,
        2,
        3,
        4,
        5
      ],
      "tags": [
        "pe",
        "static-analysis",
        "imports",
        "strings",
        "entropy",
        "triage"
      ]
    },
    {
      "id": "peframe",
      "name": "peframe",
      "aliases": [],
      "description": "Static analysis of PE files \u2014 extract properties, detect anomalies, identify packers",
      "category": "static-analysis-pe",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "1.1",
        "4.8"
      ],
      "typical_usage": [
        "peframe specimen.exe"
      ],
      "for610_sections": [
        1,
        4
      ],
      "tags": [
        "pe",
        "static-analysis",
        "triage"
      ]
    },
    {
      "id": "pestr",
      "name": "pestr",
      "aliases": [],
      "description": "Extract ASCII and Unicode strings from PE files",
      "category": "static-analysis-pe",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "1.1",
        "4.8"
      ],
      "typical_usage": [
        "pestr specimen.exe"
      ],
      "for610_sections": [
        1,
        4
      ],
      "tags": [
        "pe",
        "strings",
        "static-analysis"
      ]
    },
    {
      "id": "strings",
      "name": "strings",
      "aliases": [],
      "description": "Extract printable ASCII and Unicode strings from binary files",
      "category": "static-analysis-pe",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "3.4",
        "5.2"
      ],
      "typical_usage": [
        "strings binary.exe",
        "strings -n 10 binary.exe",
        "strings --encoding=l binary.exe"
      ],
      "for610_sections": [
        1,
        3
      ],
      "tags": [
        "strings",
        "static-analysis",
        "triage"
      ]
    },
    {
      "id": "bytehist",
      "name": "Bytehist",
      "aliases": [],
      "description": "Generate byte-usage histograms to visually identify packed or encrypted sections in binaries",
      "category": "static-analysis-pe",
      "platform": "both",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "bytehist specimen.exe"
      ],
      "for610_sections": [
        1,
        4
      ],
      "tags": [
        "pe",
        "entropy",
        "packing-detection",
        "histogram"
      ]
    },
    {
      "id": "diec",
      "name": "diec",
      "aliases": [
        "Detect It Easy",
        "DIE"
      ],
      "description": "Detect packers, compilers, and tools used to create executables",
      "category": "static-analysis-pe",
      "platform": "both",
      "in_remnux": true,
      "labs": [
        "4.1"
      ],
      "typical_usage": [
        "diec specimen.exe"
      ],
      "for610_sections": [
        1,
        4
      ],
      "tags": [
        "pe",
        "packer-detection",
        "compiler-detection"
      ]
    },
    {
      "id": "exeinfo-pe",
      "name": "ExeInfo PE",
      "aliases": [
        "ExeInfoPE",
        "ExeInfo"
      ],
      "description": "Identify tools and packers used to create PE executables",
      "category": "static-analysis-pe",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "3.12"
      ],
      "typical_usage": [
        "ExeInfoPE.exe specimen.exe"
      ],
      "for610_sections": [
        1,
        3
      ],
      "tags": [
        "pe",
        "packer-detection"
      ]
    },
    {
      "id": "cff-explorer",
      "name": "CFF Explorer",
      "aliases": [],
      "description": "View and edit PE file headers, sections, imports, and resources",
      "category": "static-analysis-pe",
      "platform": "windows",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "CFF Explorer specimen.exe"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "pe",
        "header-editing",
        "resources"
      ]
    },
    {
      "id": "file",
      "name": "file",
      "aliases": [],
      "description": "Determine file type and MIME type using magic bytes",
      "category": "static-analysis-pe",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "3.4",
        "3.5"
      ],
      "typical_usage": [
        "file specimen.exe",
        "file document.doc"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "file-identification",
        "triage"
      ]
    },
    {
      "id": "trid",
      "name": "trid",
      "aliases": [],
      "description": "Identify file type by scanning binary signatures database",
      "category": "static-analysis-pe",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "3.3",
        "3.4"
      ],
      "typical_usage": [
        "trid document.doc"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "file-identification",
        "triage"
      ]
    },
    {
      "id": "exiftool",
      "name": "exiftool",
      "aliases": [],
      "description": "Extract metadata from files (PDF, images, documents, executables)",
      "category": "static-analysis-pe",
      "platform": "linux",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "exiftool document.pdf",
        "exiftool specimen.exe"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "metadata",
        "triage"
      ]
    },
    {
      "id": "system-informer",
      "name": "System Informer",
      "aliases": [
        "Process Hacker"
      ],
      "description": "Monitor processes, network connections, handles, and system resources in real time",
      "category": "behavioral-analysis",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "1.2",
        "1.3",
        "1.6",
        "1.7",
        "1.8",
        "4.2",
        "4.5",
        "5.1"
      ],
      "typical_usage": [
        "SystemInformer.exe"
      ],
      "for610_sections": [
        1,
        4,
        5
      ],
      "tags": [
        "process-monitoring",
        "handles",
        "network",
        "real-time"
      ]
    },
    {
      "id": "process-monitor",
      "name": "Process Monitor",
      "aliases": [
        "ProcMon",
        "procmon"
      ],
      "description": "Record file system, registry, process, and thread activity in real time",
      "category": "behavioral-analysis",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "1.2",
        "4.5"
      ],
      "typical_usage": [
        "Procmon.exe"
      ],
      "for610_sections": [
        1,
        4
      ],
      "tags": [
        "filesystem",
        "registry",
        "process-monitoring",
        "real-time"
      ]
    },
    {
      "id": "regshot",
      "name": "Regshot",
      "aliases": [],
      "description": "Take and compare registry/filesystem snapshots before and after infection",
      "category": "behavioral-analysis",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "1.2"
      ],
      "typical_usage": [
        "Regshot-x64-Unicode.exe"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "registry",
        "filesystem",
        "snapshot",
        "comparison"
      ]
    },
    {
      "id": "procdot",
      "name": "ProcDOT",
      "aliases": [],
      "description": "Visualize Process Monitor logs as interactive graphs for behavioral analysis",
      "category": "behavioral-analysis",
      "platform": "both",
      "in_remnux": true,
      "labs": [
        "1.2",
        "4.5"
      ],
      "typical_usage": [
        "procdot"
      ],
      "for610_sections": [
        1,
        4
      ],
      "tags": [
        "visualization",
        "process-monitor",
        "behavioral"
      ]
    },
    {
      "id": "autoruns",
      "name": "Autoruns",
      "aliases": [],
      "description": "View and manage all autostart locations \u2014 startup programs, services, drivers, scheduled tasks",
      "category": "behavioral-analysis",
      "platform": "windows",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "Autoruns.exe"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "persistence",
        "autostart",
        "startup"
      ]
    },
    {
      "id": "api-monitor",
      "name": "API Monitor",
      "aliases": [],
      "description": "Monitor and record API calls made by processes",
      "category": "behavioral-analysis",
      "platform": "windows",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "apimonitor-x64.exe"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "api-calls",
        "monitoring",
        "dynamic-analysis"
      ]
    },
    {
      "id": "tcplogview",
      "name": "TcpLogView",
      "aliases": [],
      "description": "Log opened and closed TCP connections with process information",
      "category": "behavioral-analysis",
      "platform": "windows",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "TcpLogView.exe"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "network",
        "tcp",
        "connection-logging"
      ]
    },
    {
      "id": "wireshark",
      "name": "Wireshark",
      "aliases": [],
      "description": "GUI network protocol analyzer for capturing and inspecting packet-level traffic",
      "category": "network-analysis",
      "platform": "both",
      "in_remnux": true,
      "labs": [
        "1.2",
        "1.3",
        "1.6",
        "1.7",
        "1.8",
        "5.1"
      ],
      "typical_usage": [
        "wireshark",
        "wireshark -r capture.pcap"
      ],
      "for610_sections": [
        1,
        5
      ],
      "tags": [
        "packet-capture",
        "protocol-analysis",
        "network"
      ]
    },
    {
      "id": "tshark",
      "name": "tshark",
      "aliases": [],
      "description": "Command-line interface to Wireshark for packet capture and analysis",
      "category": "network-analysis",
      "platform": "both",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "tshark -r capture.pcap",
        "tshark -i eth0 -w capture.pcap"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "packet-capture",
        "cli",
        "network"
      ]
    },
    {
      "id": "tcpdump",
      "name": "tcpdump",
      "aliases": [],
      "description": "Command-line packet capture tool",
      "category": "network-analysis",
      "platform": "linux",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "tcpdump -i eth0 -w capture.pcap",
        "tcpdump -r capture.pcap"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "packet-capture",
        "cli",
        "network"
      ]
    },
    {
      "id": "fiddler",
      "name": "Fiddler",
      "aliases": [],
      "description": "HTTP/HTTPS debugging proxy for intercepting, inspecting, and modifying web traffic",
      "category": "network-analysis",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "3.2",
        "3.8",
        "3.9",
        "3.10",
        "3.11",
        "3.12",
        "4.5"
      ],
      "typical_usage": [
        "Fiddler.exe"
      ],
      "for610_sections": [
        3,
        4
      ],
      "tags": [
        "http",
        "https",
        "proxy",
        "web-traffic"
      ]
    },
    {
      "id": "fakedns",
      "name": "fakedns",
      "aliases": [],
      "description": "Fake DNS server that resolves all queries to a specified IP for traffic interception",
      "category": "network-analysis",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "1.3",
        "1.6",
        "1.7",
        "1.8"
      ],
      "typical_usage": [
        "fakedns"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "dns",
        "spoofing",
        "interception",
        "lab-setup"
      ]
    },
    {
      "id": "inetsim",
      "name": "INetSim",
      "aliases": [],
      "description": "Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for malware analysis in isolated labs",
      "category": "network-analysis",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "1.7"
      ],
      "typical_usage": [
        "inetsim"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "service-emulation",
        "network-simulation",
        "lab-setup"
      ]
    },
    {
      "id": "httpd",
      "name": "httpd",
      "aliases": [
        "accept-all-ips"
      ],
      "description": "Simple HTTP server on REMnux for simulating C2 web servers",
      "category": "network-analysis",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "1.3",
        "1.6",
        "1.8"
      ],
      "typical_usage": [
        "httpd"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "http",
        "web-server",
        "c2-simulation",
        "lab-setup"
      ]
    },
    {
      "id": "iptables",
      "name": "iptables",
      "aliases": [],
      "description": "Linux firewall and NAT tool for redirecting IP-based malware traffic",
      "category": "network-analysis",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "1.8"
      ],
      "typical_usage": [
        "iptables -t nat -A PREROUTING -i ens32 -j REDIRECT"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "firewall",
        "nat",
        "traffic-redirection"
      ]
    },
    {
      "id": "netcat",
      "name": "nc",
      "aliases": [
        "netcat"
      ],
      "description": "Network utility for reading/writing data across TCP/UDP connections",
      "category": "network-analysis",
      "platform": "both",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "nc -l -p 3127",
        "nc target_ip 80"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "network",
        "tcp",
        "listener"
      ]
    },
    {
      "id": "nslookup",
      "name": "nslookup",
      "aliases": [],
      "description": "DNS query tool for testing name resolution",
      "category": "network-analysis",
      "platform": "both",
      "in_remnux": true,
      "labs": [
        "1.3"
      ],
      "typical_usage": [
        "nslookup domain.com"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "dns",
        "testing"
      ]
    },
    {
      "id": "thug",
      "name": "Thug",
      "aliases": [],
      "description": "Low-interaction honeyclient for analyzing malicious websites and drive-by downloads",
      "category": "network-analysis",
      "platform": "linux",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "thug -u win7chrome49 http://suspicious-site.com"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "honeyclient",
        "web-analysis",
        "drive-by"
      ]
    },
    {
      "id": "burp-suite",
      "name": "Burp Suite",
      "aliases": [
        "Burp"
      ],
      "description": "Web application security proxy for intercepting and modifying HTTP/HTTPS traffic",
      "category": "network-analysis",
      "platform": "both",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "burpsuite"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "http",
        "https",
        "proxy",
        "web-security"
      ]
    },
    {
      "id": "torsocks",
      "name": "torsocks",
      "aliases": [],
      "description": "Route network traffic through the Tor anonymity network",
      "category": "network-analysis",
      "platform": "linux",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "torsocks curl http://example.onion"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "tor",
        "anonymity",
        "network-routing"
      ]
    },
    {
      "id": "ghidra",
      "name": "Ghidra",
      "aliases": [],
      "description": "Open-source disassembler and decompiler from NSA with scripting, function graphs, and data type management",
      "category": "code-analysis",
      "platform": "both",
      "in_remnux": true,
      "labs": [
        "2.1",
        "2.2",
        "2.3",
        "2.4",
        "2.5",
        "2.6",
        "2.7",
        "2.8",
        "4.9",
        "5.2",
        "5.4",
        "5.5",
        "5.6",
        "5.7",
        "5.9"
      ],
      "typical_usage": [
        "ghidra"
      ],
      "for610_sections": [
        2,
        4,
        5
      ],
      "tags": [
        "disassembly",
        "decompilation",
        "code-analysis",
        "function-graph"
      ]
    },
    {
      "id": "ida",
      "name": "IDA",
      "aliases": [
        "IDA Pro",
        "IDA Freeware"
      ],
      "description": "Commercial interactive disassembler and debugger from Hex-Rays",
      "category": "code-analysis",
      "platform": "both",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "ida64.exe specimen.exe"
      ],
      "for610_sections": [
        2
      ],
      "tags": [
        "disassembly",
        "decompilation",
        "commercial"
      ]
    },
    {
      "id": "binary-ninja",
      "name": "Binary Ninja",
      "aliases": [],
      "description": "Commercial disassembler with strong automated analysis and scripting",
      "category": "code-analysis",
      "platform": "both",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "binaryninja specimen.exe"
      ],
      "for610_sections": [
        2
      ],
      "tags": [
        "disassembly",
        "commercial"
      ]
    },
    {
      "id": "cutter",
      "name": "Cutter",
      "aliases": [],
      "description": "Open-source reverse engineering platform \u2014 Qt-based GUI for radare2",
      "category": "code-analysis",
      "platform": "both",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "cutter specimen.exe"
      ],
      "for610_sections": [
        2
      ],
      "tags": [
        "disassembly",
        "radare2",
        "open-source"
      ]
    },
    {
      "id": "radare2",
      "name": "radare2",
      "aliases": [
        "r2"
      ],
      "description": "Open-source reverse engineering command-line framework",
      "category": "code-analysis",
      "platform": "both",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "r2 specimen.exe"
      ],
      "for610_sections": [
        2
      ],
      "tags": [
        "disassembly",
        "cli",
        "open-source"
      ]
    },
    {
      "id": "x64dbg",
      "name": "x64dbg",
      "aliases": [],
      "description": "Open-source 64-bit debugger for dynamic malware analysis \u2014 breakpoints, memory inspection, patching",
      "category": "debugging",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "1.5",
        "4.3",
        "4.4",
        "5.1"
      ],
      "typical_usage": [
        "x64dbg.exe specimen.exe"
      ],
      "for610_sections": [
        1,
        4,
        5
      ],
      "tags": [
        "debugger",
        "64-bit",
        "dynamic-analysis",
        "breakpoints"
      ]
    },
    {
      "id": "x32dbg",
      "name": "x32dbg",
      "aliases": [],
      "description": "Open-source 32-bit debugger for dynamic malware analysis \u2014 breakpoints, memory inspection, patching",
      "category": "debugging",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "3.5",
        "3.10",
        "4.6",
        "4.7",
        "5.3",
        "5.4",
        "5.5",
        "5.6",
        "5.7",
        "5.8",
        "5.9",
        "5.10"
      ],
      "typical_usage": [
        "x32dbg.exe specimen.exe"
      ],
      "for610_sections": [
        3,
        4,
        5
      ],
      "tags": [
        "debugger",
        "32-bit",
        "dynamic-analysis",
        "breakpoints"
      ]
    },
    {
      "id": "ollydbg",
      "name": "OllyDbg",
      "aliases": [],
      "description": "Classic 32-bit debugger for Windows (legacy, predecessor to x32dbg)",
      "category": "debugging",
      "platform": "windows",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "ollydbg.exe specimen.exe"
      ],
      "for610_sections": [
        4,
        5
      ],
      "tags": [
        "debugger",
        "32-bit",
        "legacy"
      ]
    },
    {
      "id": "windbg",
      "name": "WinDbg",
      "aliases": [],
      "description": "Microsoft Windows debugger for kernel and user-mode debugging",
      "category": "debugging",
      "platform": "windows",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "windbg.exe specimen.exe"
      ],
      "for610_sections": [
        2
      ],
      "tags": [
        "debugger",
        "kernel",
        "microsoft"
      ]
    },
    {
      "id": "speakeasy",
      "name": "speakeasy",
      "aliases": [],
      "description": "Windows binary emulator \u2014 emulates API calls to analyze malware behavior without native execution",
      "category": "emulation",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "1.4"
      ],
      "typical_usage": [
        "speakeasy -t specimen.exe -o report.json 2> report.txt",
        "speakeasy -t shellcode.bin -r -a x86"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "emulation",
        "api-calls",
        "behavioral-analysis"
      ]
    },
    {
      "id": "scdbgc",
      "name": "scdbgc",
      "aliases": [
        "scdbg"
      ],
      "description": "Shellcode emulator \u2014 analyze shellcode behavior through API-level emulation",
      "category": "emulation",
      "platform": "both",
      "in_remnux": true,
      "labs": [
        "3.4",
        "3.5",
        "4.6"
      ],
      "typical_usage": [
        "scdbgc /f shellcode.bin /s -1",
        "scdbgc /f shellcode.bin /foff 0x3B /fopen qa.doc",
        "scdbgc /f shellcode.bin /s -1 /norw"
      ],
      "for610_sections": [
        3,
        4
      ],
      "tags": [
        "shellcode",
        "emulation",
        "api-calls"
      ]
    },
    {
      "id": "runsc32",
      "name": "runsc32",
      "aliases": [
        "runsc"
      ],
      "description": "Execute extracted shellcode for dynamic analysis",
      "category": "emulation",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "3.5",
        "4.6"
      ],
      "typical_usage": [
        "runsc32 -f shellcode.bin -o 0x3B -d qa.doc"
      ],
      "for610_sections": [
        3,
        4
      ],
      "tags": [
        "shellcode",
        "execution",
        "dynamic-analysis"
      ]
    },
    {
      "id": "box-js",
      "name": "box-js",
      "aliases": [],
      "description": "JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript APIs",
      "category": "emulation",
      "platform": "linux",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "box-js --output-dir=/tmp suspicious.js"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "javascript",
        "sandbox",
        "emulation"
      ]
    },
    {
      "id": "upx",
      "name": "UPX",
      "aliases": [
        "upx"
      ],
      "description": "Universal Packer for eXecutables \u2014 compress and decompress PE files",
      "category": "unpacking",
      "platform": "both",
      "in_remnux": true,
      "labs": [
        "4.2"
      ],
      "typical_usage": [
        "upx -d packed.exe",
        "upx -d packed.exe -o unpacked.exe"
      ],
      "for610_sections": [
        4
      ],
      "tags": [
        "packer",
        "unpacker",
        "compression"
      ]
    },
    {
      "id": "scylla",
      "name": "Scylla",
      "aliases": [],
      "description": "Dump processes from memory and reconstruct import address tables (IAT)",
      "category": "unpacking",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "4.2",
        "4.3",
        "5.4",
        "5.8",
        "5.10"
      ],
      "typical_usage": [
        "Scylla x64 > Attach to process > Dump > IAT Autosearch > Fix Dump"
      ],
      "for610_sections": [
        4,
        5
      ],
      "tags": [
        "memory-dump",
        "iat-reconstruction",
        "unpacking"
      ]
    },
    {
      "id": "ollydumpex",
      "name": "OllyDumpEx",
      "aliases": [],
      "description": "x64dbg/x32dbg plugin for dumping unpacked process memory to disk",
      "category": "unpacking",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "4.3",
        "5.4",
        "5.8"
      ],
      "typical_usage": [
        "Plugins > OllyDumpEx > Dump process"
      ],
      "for610_sections": [
        4,
        5
      ],
      "tags": [
        "memory-dump",
        "x64dbg-plugin",
        "unpacking"
      ]
    },
    {
      "id": "pe-unmapper",
      "name": "pe_unmapper",
      "aliases": [],
      "description": "Convert dumped PE from virtual memory alignment to raw disk alignment",
      "category": "unpacking",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "5.10"
      ],
      "typical_usage": [
        "pe_unmapper /in dumped.exe /base 400000 /out fixed.exe"
      ],
      "for610_sections": [
        5
      ],
      "tags": [
        "pe-fixup",
        "memory-dump",
        "alignment"
      ]
    },
    {
      "id": "setdllcharacteristics",
      "name": "setdllcharacteristics",
      "aliases": [],
      "description": "Modify PE header flags \u2014 commonly used to disable ASLR (DynamicBase)",
      "category": "unpacking",
      "platform": "windows",
      "in_remnux": false,
      "author": "Didier Stevens",
      "labs": [
        "4.2"
      ],
      "typical_usage": [
        "setdllcharacteristics -d specimen.exe"
      ],
      "for610_sections": [
        4
      ],
      "tags": [
        "pe-header",
        "aslr",
        "didier-stevens"
      ]
    },
    {
      "id": "ilspy",
      "name": "ILSpy",
      "aliases": [],
      "description": ".NET assembly decompiler \u2014 view C#/VB.NET source from compiled .NET binaries",
      "category": "dotnet-analysis",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "3.12",
        "4.8"
      ],
      "typical_usage": [
        "ILSpy.exe assembly.exe"
      ],
      "for610_sections": [
        3,
        4
      ],
      "tags": [
        "dotnet",
        "decompiler",
        "csharp"
      ]
    },
    {
      "id": "ilspycmd",
      "name": "ilspycmd",
      "aliases": [],
      "description": "Command-line .NET decompiler (CLI version of ILSpy)",
      "category": "dotnet-analysis",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "4.8"
      ],
      "typical_usage": [
        "ilspycmd assembly.exe > decompiled.cs"
      ],
      "for610_sections": [
        4
      ],
      "tags": [
        "dotnet",
        "decompiler",
        "cli"
      ]
    },
    {
      "id": "dnspyex",
      "name": "dnSpyEx",
      "aliases": [
        "dnSpy"
      ],
      "description": ".NET debugger and decompiler \u2014 debug obfuscated/packed .NET malware with breakpoints",
      "category": "dotnet-analysis",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "4.8"
      ],
      "typical_usage": [
        "dnSpyEx.exe assembly.exe"
      ],
      "for610_sections": [
        4
      ],
      "tags": [
        "dotnet",
        "debugger",
        "decompiler"
      ]
    },
    {
      "id": "de4dot",
      "name": "de4dot",
      "aliases": [],
      "description": ".NET deobfuscator \u2014 remove obfuscation from .NET assemblies",
      "category": "dotnet-analysis",
      "platform": "both",
      "in_remnux": true,
      "labs": [
        "4.8"
      ],
      "typical_usage": [
        "de4dot obfuscated.exe"
      ],
      "for610_sections": [
        4
      ],
      "tags": [
        "dotnet",
        "deobfuscation"
      ]
    },
    {
      "id": "dotpeek",
      "name": "dotPeek",
      "aliases": [],
      "description": "Free JetBrains .NET decompiler \u2014 alternative to ILSpy for viewing .NET source",
      "category": "dotnet-analysis",
      "platform": "windows",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "dotPeek.exe assembly.exe"
      ],
      "for610_sections": [
        4
      ],
      "tags": [
        "dotnet",
        "decompiler",
        "jetbrains"
      ]
    },
    {
      "id": "dotdumper",
      "name": "DotDumper",
      "aliases": [],
      "description": "Execution monitor and memory extractor for automatic .NET malware unpacking",
      "category": "dotnet-analysis",
      "platform": "windows",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "DotDumper.exe -file chatroom.exe"
      ],
      "for610_sections": [
        4
      ],
      "tags": [
        "dotnet",
        "unpacking",
        "memory-extraction",
        "automated"
      ]
    },
    {
      "id": "spidermonkey",
      "name": "SpiderMonkey",
      "aliases": [
        "js"
      ],
      "description": "Mozilla JavaScript engine \u2014 execute and deobfuscate malicious JavaScript outside a browser",
      "category": "javascript-analysis",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "3.6",
        "3.7",
        "4.5"
      ],
      "typical_usage": [
        "js -f malicious.js",
        "js -f /usr/share/remnux/objects.js -f malicious.js > decoded.js"
      ],
      "for610_sections": [
        3,
        4
      ],
      "tags": [
        "javascript",
        "deobfuscation",
        "execution"
      ]
    },
    {
      "id": "js-beautify",
      "name": "js-beautify",
      "aliases": [],
      "description": "Format and beautify obfuscated JavaScript code for readability",
      "category": "javascript-analysis",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "3.6",
        "4.5"
      ],
      "typical_usage": [
        "js-beautify malicious.js > beautified.js"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "javascript",
        "formatting",
        "readability"
      ]
    },
    {
      "id": "cscript",
      "name": "CScript",
      "aliases": [
        "cscript.exe"
      ],
      "description": "Windows Script Host command-line \u2014 execute JScript/VBScript for AMSI monitoring",
      "category": "javascript-analysis",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "3.6"
      ],
      "typical_usage": [
        "cscript malicious.js"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "javascript",
        "vbscript",
        "windows-script-host"
      ]
    },
    {
      "id": "powershell-ise",
      "name": "PowerShell ISE",
      "aliases": [
        "powershell_ise"
      ],
      "description": "PowerShell Integrated Scripting Environment \u2014 debug scripts with breakpoints and variable inspection",
      "category": "powershell-analysis",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "3.9",
        "3.11",
        "4.5"
      ],
      "typical_usage": [
        "powershell_ise script.ps1"
      ],
      "for610_sections": [
        3,
        4
      ],
      "tags": [
        "powershell",
        "debugger",
        "script-analysis"
      ]
    },
    {
      "id": "logman",
      "name": "logman",
      "aliases": [],
      "description": "Windows Event Trace session manager \u2014 enable AMSI script content logging",
      "category": "powershell-analysis",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "3.6"
      ],
      "typical_usage": [
        "logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets",
        "logman stop AMSITrace -ets"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "amsi",
        "event-tracing",
        "monitoring"
      ]
    },
    {
      "id": "amsiscriptcontentretrieval",
      "name": "AMSIScriptContentRetrieval",
      "aliases": [],
      "description": "Extract monitored script content from AMSI Event Trace logs",
      "category": "powershell-analysis",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "3.6"
      ],
      "typical_usage": [
        "AMSIScriptContentRetrieval AMSITrace.etl > output.txt"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "amsi",
        "script-extraction"
      ]
    },
    {
      "id": "floss",
      "name": "FLOSS",
      "aliases": [
        "floss"
      ],
      "description": "Automatically extract obfuscated strings from malware using static analysis, stack strings, and emulation",
      "category": "string-deobfuscation",
      "platform": "both",
      "in_remnux": true,
      "labs": [
        "5.2",
        "5.3"
      ],
      "typical_usage": [
        "floss specimen.exe",
        "floss specimen.exe > strings-output.txt",
        "floss --no-static -- specimen.exe"
      ],
      "for610_sections": [
        5
      ],
      "tags": [
        "strings",
        "deobfuscation",
        "automated"
      ]
    },
    {
      "id": "xorsearch",
      "name": "XORSearch",
      "aliases": [],
      "description": "Search for XOR/ROL/ROT/SHIFT-encoded patterns including shellcode signatures",
      "category": "string-deobfuscation",
      "platform": "linux",
      "in_remnux": true,
      "author": "Didier Stevens",
      "labs": [
        "3.5",
        "5.2"
      ],
      "typical_usage": [
        "XORSearch -W -d 3 file.bin",
        "XORSearch -i -s specimen.exe http:"
      ],
      "for610_sections": [
        3,
        5
      ],
      "tags": [
        "xor",
        "shellcode-detection",
        "pattern-search",
        "didier-stevens"
      ]
    },
    {
      "id": "brxor-py",
      "name": "brxor.py",
      "aliases": [],
      "description": "Brute-force XOR key detection for single-byte XOR-encoded strings",
      "category": "string-deobfuscation",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "5.2"
      ],
      "typical_usage": [
        "brxor.py specimen.dll"
      ],
      "for610_sections": [
        5
      ],
      "tags": [
        "xor",
        "brute-force",
        "deobfuscation"
      ]
    },
    {
      "id": "bbcrack",
      "name": "bbcrack",
      "aliases": [],
      "description": "Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms",
      "category": "string-deobfuscation",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "5.2"
      ],
      "typical_usage": [
        "bbcrack -l 1 specimen.dll"
      ],
      "for610_sections": [
        5
      ],
      "tags": [
        "xor",
        "rol",
        "add",
        "deobfuscation",
        "balbuzard"
      ]
    },
    {
      "id": "strdeob-pl",
      "name": "strdeob.pl",
      "aliases": [],
      "description": "Automatically decode stack-built strings from disassembled malware",
      "category": "string-deobfuscation",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "5.2"
      ],
      "typical_usage": [
        "strdeob.pl specimen.exe"
      ],
      "for610_sections": [
        5
      ],
      "tags": [
        "stack-strings",
        "deobfuscation"
      ]
    },
    {
      "id": "cyberchef",
      "name": "CyberChef",
      "aliases": [],
      "description": "Web-based data transformation tool \u2014 decode Base64, XOR, hex, decompress, and chain operations",
      "category": "string-deobfuscation",
      "platform": "both",
      "in_remnux": true,
      "labs": [
        "1.5",
        "3.8",
        "3.12"
      ],
      "typical_usage": [
        "cyberchef"
      ],
      "for610_sections": [
        1,
        3
      ],
      "tags": [
        "decoding",
        "encoding",
        "transformation",
        "web-based"
      ]
    },
    {
      "id": "capa",
      "name": "capa",
      "aliases": [],
      "description": "Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog",
      "category": "yara-detection",
      "platform": "both",
      "in_remnux": true,
      "labs": [
        "1.4",
        "5.4"
      ],
      "typical_usage": [
        "capa specimen.exe",
        "capa -vv specimen.exe",
        "capa -vv specimen.exe | grep -A7 'Suspended Process'"
      ],
      "for610_sections": [
        1,
        5
      ],
      "tags": [
        "capabilities",
        "mitre-attack",
        "automated-analysis"
      ]
    },
    {
      "id": "yara",
      "name": "yara",
      "aliases": [
        "yara-rules"
      ],
      "description": "Pattern matching tool for identifying and classifying malware using custom rules",
      "category": "yara-detection",
      "platform": "both",
      "in_remnux": true,
      "labs": [
        "3.4"
      ],
      "typical_usage": [
        "yara-rules specimen.bin",
        "yara rule.yar specimen.exe"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "pattern-matching",
        "classification",
        "rules"
      ]
    },
    {
      "id": "1768-py",
      "name": "1768.py",
      "aliases": [],
      "description": "Parse Cobalt Strike beacon configuration from shellcode or memory dumps",
      "category": "yara-detection",
      "platform": "linux",
      "in_remnux": true,
      "author": "Didier Stevens",
      "labs": [
        "3.4"
      ],
      "typical_usage": [
        "1768.py shellcode.bin"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "cobalt-strike",
        "beacon",
        "c2-config",
        "didier-stevens"
      ]
    },
    {
      "id": "scyllahide",
      "name": "ScyllaHide",
      "aliases": [],
      "description": "x64dbg/x32dbg plugin to hide debugger presence from anti-debugging checks",
      "category": "anti-analysis",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "5.3",
        "5.6"
      ],
      "typical_usage": [
        "Plugins > ScyllaHide > Options > Enable all"
      ],
      "for610_sections": [
        5
      ],
      "tags": [
        "anti-debugging",
        "debugger-hiding",
        "x64dbg-plugin"
      ]
    },
    {
      "id": "xanalyzer",
      "name": "xAnalyzer",
      "aliases": [],
      "description": "x32dbg plugin providing extended analysis \u2014 API parameter names and types in disassembly",
      "category": "anti-analysis",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "5.10"
      ],
      "typical_usage": [
        "Plugins > xAnalyzer"
      ],
      "for610_sections": [
        5
      ],
      "tags": [
        "x32dbg-plugin",
        "analysis-enhancement"
      ]
    },
    {
      "id": "virustotal",
      "name": "VirusTotal",
      "aliases": [
        "VT"
      ],
      "description": "Multi-engine antivirus scanning, behavioral analysis, and threat intelligence",
      "category": "online-platforms",
      "platform": "online",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "https://virustotal.com"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "scanning",
        "multi-engine",
        "threat-intel"
      ]
    },
    {
      "id": "hybrid-analysis",
      "name": "Hybrid Analysis",
      "aliases": [],
      "description": "CrowdStrike automated sandbox for malware detonation and behavioral reporting",
      "category": "online-platforms",
      "platform": "online",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "https://hybrid-analysis.com"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "sandbox",
        "behavioral",
        "crowdstrike"
      ]
    },
    {
      "id": "any-run",
      "name": "Any.run",
      "aliases": [],
      "description": "Interactive online malware analysis sandbox with real-time process monitoring",
      "category": "online-platforms",
      "platform": "online",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "https://any.run"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "sandbox",
        "interactive",
        "real-time"
      ]
    },
    {
      "id": "cape-sandbox",
      "name": "CAPE Sandbox",
      "aliases": [
        "CAPE"
      ],
      "description": "Automated malware analysis sandbox with payload extraction and config dumping",
      "category": "online-platforms",
      "platform": "online",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "https://capesandbox.com"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "sandbox",
        "automated",
        "payload-extraction"
      ]
    },
    {
      "id": "malwarebazaar",
      "name": "MalwareBazaar",
      "aliases": [],
      "description": "Malware sample sharing platform by abuse.ch",
      "category": "online-platforms",
      "platform": "online",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "https://bazaar.abuse.ch"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "sample-sharing",
        "repository"
      ]
    },
    {
      "id": "intezer-analyze",
      "name": "Intezer Analyze",
      "aliases": [],
      "description": "Automated code analysis platform for malware classification using code reuse detection",
      "category": "online-platforms",
      "platform": "online",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "https://analyze.intezer.com"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "code-reuse",
        "classification",
        "automated"
      ]
    },
    {
      "id": "filescan-io",
      "name": "FileScan.IO",
      "aliases": [],
      "description": "Online malware analysis sandbox with multi-format support",
      "category": "online-platforms",
      "platform": "online",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "https://filescan.io"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "sandbox",
        "online"
      ]
    },
    {
      "id": "urlscan-io",
      "name": "urlscan.io",
      "aliases": [],
      "description": "Website and URL investigation service \u2014 screenshots, DOM analysis, network requests",
      "category": "online-platforms",
      "platform": "online",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "https://urlscan.io"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "url-analysis",
        "website-investigation"
      ]
    },
    {
      "id": "shodan",
      "name": "Shodan",
      "aliases": [],
      "description": "Search engine for internet-connected devices and exposed services",
      "category": "online-platforms",
      "platform": "online",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "https://shodan.io"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "infrastructure",
        "reconnaissance"
      ]
    },
    {
      "id": "otx",
      "name": "Open Threat Exchange",
      "aliases": [
        "OTX",
        "LevelBlue Labs"
      ],
      "description": "Threat intelligence sharing platform for indicators of compromise",
      "category": "online-platforms",
      "platform": "online",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "https://otx.alienvault.com"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "threat-intel",
        "ioc-sharing"
      ]
    },
    {
      "id": "threatfox",
      "name": "ThreatFox",
      "aliases": [],
      "description": "Threat intelligence platform for sharing IOCs associated with malware",
      "category": "online-platforms",
      "platform": "online",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "https://threatfox.abuse.ch"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "threat-intel",
        "ioc-sharing",
        "abuse-ch"
      ]
    },
    {
      "id": "securitytrails",
      "name": "SecurityTrails",
      "aliases": [],
      "description": "Historical DNS records and IP/domain intelligence",
      "category": "online-platforms",
      "platform": "online",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "https://securitytrails.com"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "dns-history",
        "domain-intel"
      ]
    },
    {
      "id": "unpacme",
      "name": "UnpacMe",
      "aliases": [],
      "description": "Automated online malware unpacking service",
      "category": "online-platforms",
      "platform": "online",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "https://www.unpac.me"
      ],
      "for610_sections": [
        4
      ],
      "tags": [
        "unpacking",
        "automated",
        "online"
      ]
    },
    {
      "id": "vmware-workstation",
      "name": "VMware Workstation Pro",
      "aliases": [
        "VMware"
      ],
      "description": "Desktop hypervisor for running isolated analysis VMs with snapshots and host-only networking",
      "category": "virtualization",
      "platform": "both",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "vmware"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "hypervisor",
        "vm",
        "isolation"
      ]
    },
    {
      "id": "vmware-fusion",
      "name": "VMware Fusion",
      "aliases": [],
      "description": "macOS hypervisor for running analysis virtual machines",
      "category": "virtualization",
      "platform": "both",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "VMware Fusion.app"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "hypervisor",
        "macos"
      ]
    },
    {
      "id": "virtualbox",
      "name": "VirtualBox",
      "aliases": [],
      "description": "Open-source hypervisor for running analysis virtual machines",
      "category": "virtualization",
      "platform": "both",
      "in_remnux": false,
      "labs": [],
      "typical_usage": [
        "VirtualBox"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "hypervisor",
        "open-source"
      ]
    },
    {
      "id": "visual-studio-code",
      "name": "Visual Studio Code",
      "aliases": [
        "code",
        "VS Code"
      ],
      "description": "Code editor used for viewing decompiled output, scripts, and analysis results",
      "category": "utilities",
      "platform": "both",
      "in_remnux": true,
      "labs": [
        "1.3",
        "1.4",
        "1.5",
        "3.3",
        "3.6",
        "3.7",
        "4.5",
        "4.8",
        "5.2",
        "5.3"
      ],
      "typical_usage": [
        "code filename.js"
      ],
      "for610_sections": [
        1,
        3,
        4,
        5
      ],
      "tags": [
        "editor",
        "code-viewer"
      ]
    },
    {
      "id": "notepadpp",
      "name": "Notepad++",
      "aliases": [],
      "description": "Advanced Windows text editor with syntax highlighting for script analysis",
      "category": "utilities",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "3.6",
        "3.8",
        "3.9",
        "3.10",
        "3.11",
        "3.12",
        "4.5"
      ],
      "typical_usage": [
        "notepad++ script.ps1"
      ],
      "for610_sections": [
        3,
        4
      ],
      "tags": [
        "editor",
        "windows"
      ]
    },
    {
      "id": "jq",
      "name": "jq",
      "aliases": [],
      "description": "Command-line JSON processor for extracting and transforming structured data",
      "category": "utilities",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "1.4"
      ],
      "typical_usage": [
        "cat report.json | jq '.apis'",
        "jq -r '.entry' report.json"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "json",
        "data-processing"
      ]
    },
    {
      "id": "feh",
      "name": "feh",
      "aliases": [],
      "description": "Lightweight image viewer for viewing extracted images from documents",
      "category": "utilities",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "3.1"
      ],
      "typical_usage": [
        "feh extracted_image.jpg"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "image-viewer"
      ]
    },
    {
      "id": "winscp",
      "name": "WinSCP",
      "aliases": [],
      "description": "Windows SCP/SFTP client for transferring files between Windows and Linux VMs",
      "category": "utilities",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "4.5"
      ],
      "typical_usage": [
        "WinSCP.exe"
      ],
      "for610_sections": [
        4
      ],
      "tags": [
        "file-transfer",
        "scp"
      ]
    },
    {
      "id": "wine",
      "name": "Wine",
      "aliases": [],
      "description": "Windows compatibility layer \u2014 run Windows executables on Linux",
      "category": "utilities",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "3.5"
      ],
      "typical_usage": [
        "wine program.exe"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "windows-compat",
        "execution"
      ]
    },
    {
      "id": "unzip",
      "name": "unzip",
      "aliases": [],
      "description": "Extract ZIP archives containing malware samples",
      "category": "utilities",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "1.1",
        "3.1",
        "3.3",
        "3.4",
        "3.5",
        "3.6",
        "3.7",
        "4.1",
        "4.8",
        "5.2",
        "5.3",
        "5.4"
      ],
      "typical_usage": [
        "unzip -P infected sample.zip"
      ],
      "for610_sections": [
        1,
        3,
        4,
        5
      ],
      "tags": [
        "archive",
        "extraction"
      ]
    },
    {
      "id": "gunzip",
      "name": "gunzip",
      "aliases": [],
      "description": "Decompress gzip-compressed data (often used in multi-stage payload extraction)",
      "category": "utilities",
      "platform": "linux",
      "in_remnux": true,
      "labs": [
        "3.4"
      ],
      "typical_usage": [
        "gunzip -c compressed.gz > output.bin"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "compression",
        "extraction"
      ]
    },
    {
      "id": "rar",
      "name": "rar",
      "aliases": [
        "unrar"
      ],
      "description": "Extract RAR archives (including self-extracting RAR payloads)",
      "category": "utilities",
      "platform": "both",
      "in_remnux": true,
      "labs": [
        "3.5"
      ],
      "typical_usage": [
        "rar x archive.rar"
      ],
      "for610_sections": [
        3
      ],
      "tags": [
        "archive",
        "extraction"
      ]
    },
    {
      "id": "hexdump",
      "name": "hexdump",
      "aliases": [],
      "description": "Display file content in hexadecimal format",
      "category": "utilities",
      "platform": "linux",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "hexdump -C binary.dat"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "hex",
        "binary-viewing"
      ]
    },
    {
      "id": "xxd",
      "name": "xxd",
      "aliases": [],
      "description": "Create hex dump of a file or reverse a hex dump back to binary",
      "category": "utilities",
      "platform": "linux",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "xxd binary.exe",
        "xxd -r hexdump.txt > binary.exe"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "hex",
        "binary-conversion"
      ]
    },
    {
      "id": "binwalk",
      "name": "binwalk",
      "aliases": [],
      "description": "Analyze and extract embedded files and firmware images",
      "category": "utilities",
      "platform": "linux",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "binwalk firmware.bin",
        "binwalk -e firmware.bin"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "firmware",
        "extraction",
        "embedded-files"
      ]
    },
    {
      "id": "wget",
      "name": "wget",
      "aliases": [],
      "description": "Download files from HTTP/HTTPS/FTP servers",
      "category": "utilities",
      "platform": "linux",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "wget http://example.com/file.bin"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "download",
        "http"
      ]
    },
    {
      "id": "curl",
      "name": "curl",
      "aliases": [],
      "description": "Transfer data to/from servers using various protocols",
      "category": "utilities",
      "platform": "linux",
      "in_remnux": true,
      "labs": [],
      "typical_usage": [
        "curl -L http://example.com",
        "curl -o output.bin http://example.com/file"
      ],
      "for610_sections": [
        1
      ],
      "tags": [
        "download",
        "http",
        "transfer"
      ]
    },
    {
      "id": "reg-export",
      "name": "reg_export",
      "aliases": [],
      "description": "Extract registry key values to files \u2014 used to recover malware artifacts stored in registry",
      "category": "utilities",
      "platform": "windows",
      "in_remnux": false,
      "author": "Adam Kramer",
      "labs": [
        "4.5"
      ],
      "typical_usage": [
        "reg_export HKCU\\software\\keyname valuename output.js"
      ],
      "for610_sections": [
        4
      ],
      "tags": [
        "registry",
        "extraction",
        "windows"
      ]
    },
    {
      "id": "regedit",
      "name": "Regedit",
      "aliases": [],
      "description": "Windows Registry Editor for browsing and modifying registry keys",
      "category": "utilities",
      "platform": "windows",
      "in_remnux": false,
      "labs": [
        "4.5"
      ],
      "typical_usage": [
        "regedit.exe"
      ],
      "for610_sections": [
        4
      ],
      "tags": [
        "registry",
        "windows"
      ]
    }
  ]
}