tobias
f3ccc09c3d
Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
398 lines
40 KiB
Plaintext
398 lines
40 KiB
Plaintext
1768.py|Parse Cobalt Strike beacon configuration from shellcode or memory dumps|Examine Static Properties > Deobfuscation|1768.py shellcode.bin|rich
|
|
7-Zip|Compress and decompress files using a variety of algorithms.|Examine Static Properties > General|7-Zip --help|standard
|
|
7zip|(no description available)||7zip --help|basic
|
|
AESKeyFinder|Find 128-bit and 256-bit AES keys in a memory image.|Perform Memory Forensics|AESKeyFinder --help|standard
|
|
AndroidProjectCreator|Convert an Android APK application file into an Android Studio project for easier analysis.|Statically Analyze Code > Android|AndroidProjectCreator --help|standard
|
|
Burp Suite Community Edition|Investigate website interactions using this web proxy.|Explore Network Interactions > Monitoring|Burp Suite Community Edition --help|standard
|
|
Bytehist|Generate byte-usage histograms to visually identify packed or encrypted sections in binaries|Statically Analyze Code > Unpacking|bytehist specimen.exe|rich
|
|
ClamAV|Open-source antivirus — scan files for known malware signatures|Examine Static Properties > General|clamscan <sample>|rich
|
|
Cobalt Strike Configuration Extractor (CSCE) and Parser|Analyze Cobalt Strike beacons.|Examine Static Properties > Deobfuscation|Cobalt Strike Configuration Extractor (CSCE) and Parser --help|standard
|
|
Cutter|Open-source reverse engineering platform — Qt-based GUI for radare2|Statically Analyze Code > General|cutter specimen.exe|rich
|
|
CyberChef|Web-based data transformation tool — decode Base64, XOR, hex, decompress, and chain operations|Examine Static Properties > Deobfuscation|cyberchef|rich
|
|
Decompyle++|Python bytecode disassembler and decompiler.|Statically Analyze Code > Python|Decompyle++ --help|standard
|
|
EPIC IRC Client|Examine IRC activities with this IRC client.|Explore Network Interactions > Connecting|EPIC IRC Client --help|standard
|
|
FLOSS|Automatically extract obfuscated strings from malware using static analysis, stack strings, and emulation|Examine Static Properties > Deobfuscation|floss specimen.exe|rich
|
|
Frida|Dynamic instrumentation toolkit — hook and trace running processes, intercept function calls in real time|Dynamically Reverse-Engineer Code > General|frida -l hook.js <process_name>|rich
|
|
GNOME Calculator|Calculator.|General Utilities|GNOME Calculator --help|standard
|
|
GNU Wget|Interact with servers via HTTP, HTTPS, FTP, and FTPS using this command-line tool.|Explore Network Interactions > Connecting|GNU Wget --help|standard
|
|
GhidrAssistMCP|MCP server for AI-assisted reverse engineering in Ghidra.|Use Artificial Intelligence|GhidrAssistMCP --help|standard
|
|
Ghidra|Open-source disassembler and decompiler from NSA with scripting, function graphs, and data type management|Statically Analyze Code > General|ghidra|rich
|
|
Hachoir|View, edit, and carve contents of various binary file types.|Examine Static Properties > General|Hachoir --help|standard
|
|
Hash ID|Identify different types of hashes.|Examine Static Properties > General|Hash ID --help|standard
|
|
ILSpy|.NET assembly decompiler — view C#/VB.NET source from compiled .NET binaries|Statically Analyze Code > .NET|ILSpy.exe assembly.exe|rich
|
|
INetSim|Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for malware analysis in isolated labs|Explore Network Interactions > Services|inetsim|rich
|
|
JD-GUI Java Decompiler|Java decompiler with GUI.|Statically Analyze Code > Java|JD-GUI Java Decompiler --help|standard
|
|
Javassist|Java bytecode engineering toolkit/library.|Statically Analyze Code > Java|Javassist --help|standard
|
|
Malcat Lite|Analyze binary files using a hex editor, disassembler, and file dissector.|Examine Static Properties > General|Malcat Lite --help|standard
|
|
Malchive|Multi-purpose malware analysis library — config extraction, deobfuscation, and static analysis|Examine Static Properties > Deobfuscation|malchive <sample>|rich
|
|
Network Miner Free Edition|Examine network traffic and carve PCAP capture files.|Explore Network Interactions > Monitoring|Network Miner Free Edition --help|standard
|
|
ProcDOT|Visualize Process Monitor logs as interactive graphs for behavioral analysis|Investigate System Interactions|procdot|rich
|
|
Procyon|Java decompiler.|Statically Analyze Code > Java|Procyon --help|standard
|
|
REMnux Installer|Install and update the REMnux distro.|General Utilities|REMnux Installer --help|standard
|
|
RSAKeyFinder|Find BER-encoded RSA private keys in a memory image.|Perform Memory Forensics|RSAKeyFinder --help|standard
|
|
SQLite|Manage and interact with SQL database files.|General Utilities|SQLite --help|standard
|
|
Sleuth Kit|Analyze disk images and recover files from them.|Examine Static Properties > General|Sleuth Kit --help|standard
|
|
SpiderMonkey|Mozilla JavaScript engine — execute and deobfuscate malicious JavaScript outside a browser|Dynamically Reverse-Engineer Code > Scripts|js -f malicious.js|rich
|
|
Thug|Low-interaction honeyclient for analyzing malicious websites and drive-by downloads|Explore Network Interactions > Connecting|thug -u win7chrome49 http://suspicious-site.com|rich
|
|
UPX|Universal Packer for eXecutables — compress and decompress PE files|Statically Analyze Code > Unpacking|upx -d packed.exe|rich
|
|
Unfurl|Deconstruct and decode URLs — reveal tracking parameters, encoded data, and redirect chains|Explore Network Interactions > Connecting|unfurl parse <url>|rich
|
|
Visual Studio Code|Code editor used for viewing decompiled output, scripts, and analysis results|View or Edit Files|code filename.js|rich
|
|
Vivisect|Binary analysis and emulation framework — static analysis with emulation capabilities|Statically Analyze Code > General|vivbin <sample>|rich
|
|
Wine|Windows compatibility layer — run Windows executables on Linux|Dynamically Reverse-Engineer Code > General|wine program.exe|rich
|
|
Wireshark|GUI network protocol analyzer for capturing and inspecting packet-level traffic|Explore Network Interactions > Monitoring|wireshark|rich
|
|
XLMMacroDeobfuscator|Deobfuscate Excel 4.0 (XLM) macros — these hide in hidden sheets and are hard to detect|Analyze Documents > Microsoft Office|xlmdeobfuscator --file <spreadsheet.xlsm>|rich
|
|
XORSearch|Search for XOR/ROL/ROT/SHIFT-encoded patterns including shellcode signatures|Examine Static Properties > Deobfuscation|XORSearch -W -d 3 file.bin|rich
|
|
YARA-Forge Rules|Scan files with curated YARA rules from 45+ sources for malware family identification.|Examine Static Properties > General|YARA-Forge Rules --help|standard
|
|
aeskeyfind|(no description available)||aeskeyfind --help|basic
|
|
androguard|Analyze Android APK files — extract permissions, activities, intents, and decompile DEX code|Statically Analyze Code > Android|androguard analyze <app.apk>|rich
|
|
android-project-creator|(no description available)||android-project-creator --help|basic
|
|
anomy|A wrapper around wget, ssh, sftp, ftp, and telnet to route these connections through Tor to anonymize your traffic.|Explore Network Interactions > Connecting|anomy --help|standard
|
|
apkid|Identify compilers, packers, and obfuscators used to protect Android APK and DEX files.|Statically Analyze Code > Android|apkid --help|standard
|
|
apktool|Decompile and recompile Android APK files — extract resources, smali code, and manifest|Statically Analyze Code > Android|apktool d <app.apk> -o output/|rich
|
|
apt-utils|(no description available)||apt-utils --help|basic
|
|
archive-zip|(no description available)||archive-zip --help|basic
|
|
autoconf|(no description available)||autoconf --help|basic
|
|
autoit-ripper|Extract AutoIt scripts embedded in PE binaries.|Statically Analyze Code > Scripts|autoit-ripper --help|standard
|
|
autologin|(no description available)||autologin --help|basic
|
|
automake|(no description available)||automake --help|basic
|
|
baksmali|Disassembler for the dex format used by Dalvik, Android's Java VM implementation.|Statically Analyze Code > Android|baksmali --help|standard
|
|
balbuzard|Extract and deobfuscate patterns from suspicious files.|Examine Static Properties > Deobfuscation|balbuzard --help|standard
|
|
base64dump.py|Extract and decode Base64-encoded strings from files|Examine Static Properties > Deobfuscation|base64dump.py file.txt|rich
|
|
bash-history|(no description available)||bash-history --help|basic
|
|
bash-rc|(no description available)||bash-rc --help|basic
|
|
bbcrack|Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms|string-deobfuscation|bbcrack -l 1 specimen.dll|rich
|
|
bearparser|(no description available)||bearparser --help|basic
|
|
binee (Binary Emulation Environment)|Analyze I/O operations of a suspicious PE file by emulating its execution.|Statically Analyze Code > PE Files|binee (Binary Emulation Environment) --help|standard
|
|
binee|(no description available)||binee --help|basic
|
|
binutils|(no description available)||binutils --help|basic
|
|
binwalk|Analyze and extract embedded files and firmware images|Examine Static Properties > General|binwalk firmware.bin|rich
|
|
box-js|JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript APIs|Dynamically Reverse-Engineer Code > Scripts|box-js --output-dir=/tmp suspicious.js|rich
|
|
brxor.py|Brute-force XOR key detection for single-byte XOR-encoded strings|Examine Static Properties > Deobfuscation|brxor.py specimen.dll|rich
|
|
build-essential|(no description available)||build-essential --help|basic
|
|
bulk-extractor|Extract interesting strings from binary files.|Examine Static Properties > General|bulk-extractor --help|standard
|
|
bundler|(no description available)||bundler --help|basic
|
|
burpsuite-community|(no description available)||burpsuite-community --help|basic
|
|
cabextract|Extract Microsoft cabinet (cab) files.|General Utilities|cabextract --help|standard
|
|
capa|Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog|Statically Analyze Code > PE Files|capa specimen.exe|rich
|
|
cast|Install and manage SaltStack-based Linux distributions.|General Utilities|cast --help|standard
|
|
cffi|(no description available)||cffi --help|basic
|
|
cfr|Modern Java decompiler — handles Java 8+ features including lambdas and try-with-resources|Statically Analyze Code > Java|cfr <file.jar> --outputdir output/|rich
|
|
chepy|Decode and otherwise analyze data using this command-line tool and Python library.|Examine Static Properties > Deobfuscation|chepy --help|standard
|
|
clamav-daemon|(no description available)||clamav-daemon --help|basic
|
|
compatibility|(no description available)||compatibility --help|basic
|
|
cs-analyze-processdump.py|Analyze Cobalt Strike beacon process dumps for sleep mask encoding|Examine Static Properties > Deobfuscation|cs-analyze-processdump.py <process_dump>|rich
|
|
cs-decrypt-metadata.py|Decrypt Cobalt Strike beacon metadata from network captures|Examine Static Properties > Deobfuscation|cs-decrypt-metadata.py <metadata_hex>|rich
|
|
cs-extract-key.py|Extract AES and HMAC encryption keys from Cobalt Strike beacon process memory dumps|Examine Static Properties > Deobfuscation|cs-extract-key.py -f <process_dump>|rich
|
|
cs-parse-traffic.py|Decrypt and parse Cobalt Strike beacon network traffic using extracted keys|Explore Network Interactions > Monitoring|cs-parse-traffic.py -f <capture.pcap> -k <keys_file>|rich
|
|
curl|Transfer data to/from servers using various protocols|Explore Network Interactions > Connecting|curl -L http://example.com|rich
|
|
cut-bytes.py|Cut out a part of a data stream.|Examine Static Properties > Deobfuscation|cut-bytes.py --help|standard
|
|
dc3-mwcp|DC3 Malware Configuration Parser — extract C2 configs from known malware families|Examine Static Properties > Deobfuscation|mwcp parse <sample>|rich
|
|
de4dot|.NET deobfuscator — remove obfuscation from .NET assemblies|Statically Analyze Code > .NET|de4dot obfuscated.exe|rich
|
|
decode-vbe.py|Decode encoded VBS scripts (VBE).|Statically Analyze Code > Scripts|decode-vbe.py --help|standard
|
|
default-jdk|(no description available)||default-jdk --help|basic
|
|
default-jre|(no description available)||default-jre --help|basic
|
|
dex2jar|Examine Dalvik Executable (dex) files.|Statically Analyze Code > Android|dex2jar --help|standard
|
|
dexray|Extract and decode data from antivirus quarantine files.|Gather and Analyze Data|dexray --help|standard
|
|
dialog|(no description available)||dialog --help|basic
|
|
didier-stevens-scripts|(no description available)||didier-stevens-scripts --help|basic
|
|
diec|Detect packers, compilers, and tools used to create executables|Examine Static Properties > General|diec specimen.exe|rich
|
|
disitool|Manipulate embedded digital signatures.|Examine Static Properties > General|disitool --help|standard
|
|
display|(no description available)||display --help|basic
|
|
dissect|Perform a variety of forensics and incident response tasks using this DFIR framework and toolset.|Gather and Analyze Data|dissect --help|standard
|
|
distro-info|(no description available)||distro-info --help|basic
|
|
dllcharacteristics|(no description available)||dllcharacteristics --help|basic
|
|
dnfile|Analyze static properties of.|Examine Static Properties > .NET|dnfile --help|standard
|
|
dnslib|Python library to encode/decode DNS wire-format packets.|Gather and Analyze Data|dnslib --help|standard
|
|
dnsresolver.py|DNS resolver tool for dynamic analysis with wildcard and tracking support.|Explore Network Interactions > Services|dnsresolver.py --help|standard
|
|
docker|Run and manage containers.|General Utilities|docker --help|standard
|
|
dog|(no description available)||dog --help|basic
|
|
dos2unix|Convert text files with Windows or macOS line breaks to Unix line breaks and vice versa.|View or Edit Files|dos2unix --help|standard
|
|
dot-cache|(no description available)||dot-cache --help|basic
|
|
dot-config|(no description available)||dot-config --help|basic
|
|
dot-cpan|(no description available)||dot-cpan --help|basic
|
|
dot-dbus|(no description available)||dot-dbus --help|basic
|
|
dot-local|(no description available)||dot-local --help|basic
|
|
dotnet-runtime-3-1|(no description available)||dotnet-runtime-3-1 --help|basic
|
|
dotnetfile|Analyze static properties of.|Examine Static Properties > .NET|dotnetfile --help|standard
|
|
droidlysis|Perform static analysis of Android applications.|Examine Static Properties > General|droidlysis --help|standard
|
|
edb-debugger|(no description available)||edb-debugger --help|basic
|
|
emldump.py|Parse and analyze EML email message files|Analyze Documents > Email Messages|emldump.py message.eml|rich
|
|
enchant|(no description available)||enchant --help|basic
|
|
epic5|(no description available)||epic5 --help|basic
|
|
evilclippy|Remove VBA project password protection and manipulate Office macro settings|Analyze Documents > Microsoft Office|evilclippy -uu document.docm|rich
|
|
evince|View documents in a variety of formats, including PDF.|View or Edit Files|evince --help|standard
|
|
ex-pe-xor|Search an XOR'ed file for indications of executable binaries.|Examine Static Properties > Deobfuscation|ex-pe-xor --help|standard
|
|
exfat-utils|(no description available)||exfat-utils --help|basic
|
|
exiftool|Extract metadata from files (PDF, images, documents, executables)|Examine Static Properties > General|exiftool document.pdf|rich
|
|
fakedns|Fake DNS server that resolves all queries to a specified IP for traffic interception|Explore Network Interactions > Services|fakedns|rich
|
|
fakemail|Intercept and examine SMTP email activity with this fake SMTP server.|Explore Network Interactions > Services|fakemail --help|standard
|
|
fakenet-ng|Emulate network services (HTTP, DNS, SMTP, FTP) to intercept and analyze malware traffic dynamically|Explore Network Interactions > Services|fakenet|rich
|
|
feh|Lightweight image viewer for viewing extracted images from documents|View or Edit Files|feh extracted_image.jpg|rich
|
|
file-magic.py|Identify file types using the Python magic module.|Examine Static Properties > General|file-magic.py --help|standard
|
|
file|Determine file type and MIME type using magic bytes|Examine Static Properties > General|file specimen.exe|rich
|
|
firefox|Web browser.|General Utilities|firefox --help|standard
|
|
flare-floss|(no description available)||flare-floss --help|basic
|
|
flex|(no description available)||flex --help|basic
|
|
format-bytes.py|Decompose structured binary data with format strings.|Examine Static Properties > Deobfuscation|format-bytes.py --help|standard
|
|
galculator|(no description available)||galculator --help|basic
|
|
gdb|(no description available)||gdb --help|basic
|
|
gdm3|(no description available)||gdm3 --help|basic
|
|
gift|(no description available)||gift --help|basic
|
|
git|(no description available)||git --help|basic
|
|
gnome-session|(no description available)||gnome-session --help|basic
|
|
gnome-shell-extensions|(no description available)||gnome-shell-extensions --help|basic
|
|
gnome-terminal|(no description available)||gnome-terminal --help|basic
|
|
gnome-tweaks|(no description available)||gnome-tweaks --help|basic
|
|
gnutls-bin|(no description available)||gnutls-bin --help|basic
|
|
goresym|Extract metadata and symbols from Go binaries, including stripped ones.|Examine Static Properties > Go|goresym --help|standard
|
|
graphviz|(no description available)||graphviz --help|basic
|
|
grub-kvm|(no description available)||grub-kvm --help|basic
|
|
guest-tools|(no description available)||guest-tools --help|basic
|
|
gunzip|Decompress gzip-compressed data (often used in multi-stage payload extraction)|utilities|gunzip -c compressed.gz > output.bin|rich
|
|
hex-to-bin.py|Convert hexadecimal text dumps to binary data.|Examine Static Properties > Deobfuscation|hex-to-bin.py --help|standard
|
|
hexdump|Display file content in hexadecimal format|utilities|hexdump -C binary.dat|rich
|
|
httpd|Simple HTTP server on REMnux for simulating C2 web servers|Explore Network Interactions > Services|httpd|rich
|
|
i386-architecture|(no description available)||i386-architecture --help|basic
|
|
ibus|Adjust input methods for the GUI.|General Utilities|ibus --help|standard
|
|
ilspycmd|Command-line .NET decompiler (CLI version of ILSpy)|dotnet-analysis|ilspycmd assembly.exe > decompiled.cs|rich
|
|
imagemagick|View and manipulate image and related files.|View or Edit Files|imagemagick --help|standard
|
|
inspircd|Examine IRC activity with this IRC server.|Explore Network Interactions > Services|inspircd --help|standard
|
|
ioc-parser|Extract indicators of compromise (IOCs) from PDF reports and text files|Gather and Analyze Data|ioc_parser <report.pdf>|rich
|
|
iproute2|(no description available)||iproute2 --help|basic
|
|
iptables|Linux firewall and NAT tool for redirecting IP-based malware traffic|network-analysis|iptables -t nat -A PREROUTING -i ens32 -j REDIRECT|rich
|
|
iputils-ping|(no description available)||iputils-ping --help|basic
|
|
ipwhois|Retrieve and parse whois data for IP addresses.|Gather and Analyze Data|ipwhois --help|standard
|
|
ipython3|(no description available)||ipython3 --help|basic
|
|
jadx|Decompile Android DEX/APK to Java source code with a GUI or command line|Statically Analyze Code > Android|jadx <app.apk> -d output/|rich
|
|
java-idx-parser|Analyze Java IDX files.|Statically Analyze Code > Java|java-idx-parser --help|standard
|
|
jd-gui|Visual Java decompiler with GUI — browse and search decompiled JAR/class files||jd-gui <file.jar>|rich
|
|
jq|Command-line JSON processor for extracting and transforming structured data|utilities|cat report.json jq '.apis'|rich
|
|
js-beautify|Format and beautify obfuscated JavaScript code for readability|Statically Analyze Code > Scripts|js-beautify malicious.js > beautified.js|rich
|
|
jstillery|Deobfuscate JavaScript scripts using AST and Partial Evaluation techniques.|Dynamically Reverse-Engineer Code > Scripts|jstillery --help|standard
|
|
lame|(no description available)||lame --help|basic
|
|
libboost-dev|(no description available)||libboost-dev --help|basic
|
|
libboost-python-dev|(no description available)||libboost-python-dev --help|basic
|
|
libboost-system-dev|(no description available)||libboost-system-dev --help|basic
|
|
libdpkg-perl|(no description available)||libdpkg-perl --help|basic
|
|
libemail-outlook-message-perl|(no description available)||libemail-outlook-message-perl --help|basic
|
|
libemu|A library for x86 code emulation and shellcode detection.|Dynamically Reverse-Engineer Code > Shellcode|libemu --help|standard
|
|
libffi-dev|(no description available)||libffi-dev --help|basic
|
|
libfuse2|(no description available)||libfuse2 --help|basic
|
|
libfuzzy-dev|(no description available)||libfuzzy-dev --help|basic
|
|
libfuzzy2|(no description available)||libfuzzy2 --help|basic
|
|
libglib2|(no description available)||libglib2 --help|basic
|
|
libglu1-mesa-dev|(no description available)||libglu1-mesa-dev --help|basic
|
|
libgraphviz-dev|(no description available)||libgraphviz-dev --help|basic
|
|
libgtk-3-0|(no description available)||libgtk-3-0 --help|basic
|
|
libjavassist-java|(no description available)||libjavassist-java --help|basic
|
|
libjpeg-dev|(no description available)||libjpeg-dev --help|basic
|
|
libjpeg8-dev|(no description available)||libjpeg8-dev --help|basic
|
|
liblzma-dev|(no description available)||liblzma-dev --help|basic
|
|
liblzo2-dev|(no description available)||liblzo2-dev --help|basic
|
|
libmagic-dev|(no description available)||libmagic-dev --help|basic
|
|
libmysqlclient21|(no description available)||libmysqlclient21 --help|basic
|
|
libncurses|(no description available)||libncurses --help|basic
|
|
libnetfilter-queue-dev|(no description available)||libnetfilter-queue-dev --help|basic
|
|
libnfnetlink-dev|(no description available)||libnfnetlink-dev --help|basic
|
|
libolecf|Microsoft Office OLE2 compound documents.|Analyze Documents > Microsoft Office|libolecf --help|standard
|
|
libpq5|(no description available)||libpq5 --help|basic
|
|
libqt5scripttools5|(no description available)||libqt5scripttools5 --help|basic
|
|
libre2|(no description available)||libre2 --help|basic
|
|
libsm6|(no description available)||libsm6 --help|basic
|
|
libsqlite3-dev|(no description available)||libsqlite3-dev --help|basic
|
|
libssl-dev|(no description available)||libssl-dev --help|basic
|
|
libtool|(no description available)||libtool --help|basic
|
|
libtre5|(no description available)||libtre5 --help|basic
|
|
libusb-1|(no description available)||libusb-1 --help|basic
|
|
libxml2-dev|(no description available)||libxml2-dev --help|basic
|
|
libxslt1-dev|(no description available)||libxslt1-dev --help|basic
|
|
lief|Parse and analyze PE, ELF, MachO, DEX, OAT, VDEX, ART, and DWARF executable formats.|Examine Static Properties > General|lief --help|standard
|
|
linux-headers|(no description available)||linux-headers --help|basic
|
|
ltrace|(no description available)||ltrace --help|basic
|
|
magika|Identify file type using signatures.|Examine Static Properties > General|magika --help|standard
|
|
mail-parser|Parse raw SMTP email messages and extract headers, body, and attachments|Analyze Documents > Email Messages|python3 -c "import mailparser; mail = mailparser.parse_from_file('<email.eml>'); print(mail.subject)"|rich
|
|
malcat|(no description available)||malcat --help|basic
|
|
malwoverview|Query VirusTotal, Hybrid Analysis, and MalwareBazaar for malware intelligence|Gather and Analyze Data|malwoverview -v <hash>|rich
|
|
manalyze|(no description available)||manalyze --help|basic
|
|
mbcscan|Scan a PE file to list the associated Malware Behavior Catalog (MBC) details.|Statically Analyze Code > PE Files|mbcscan --help|standard
|
|
mercurial|(no description available)||mercurial --help|basic
|
|
microsoft-vscode|(no description available)||microsoft-vscode --help|basic
|
|
microsoft|(no description available)||microsoft --help|basic
|
|
mitmproxy|Interactive HTTPS proxy for intercepting, inspecting, and modifying encrypted web traffic|Explore Network Interactions > Monitoring|mitmproxy|rich
|
|
mono-devel|(no description available)||mono-devel --help|basic
|
|
mono-utils|(no description available)||mono-utils --help|basic
|
|
monodis|Disassemble and extract resources from.|Examine Static Properties > .NET|monodis --help|standard
|
|
mono|(no description available)||mono --help|basic
|
|
msg-extractor|Extract emails and attachments from Microsoft Outlook MSG files|Analyze Documents > Email Messages|extract_msg <email.msg>|rich
|
|
msgconvert|Convert MSG files to MBOX files.|Analyze Documents > Email Messages|msgconvert --help|standard
|
|
msitools|Create, inspect and extract Windows Installer (.|Examine Static Properties > General|msitools --help|standard
|
|
msoffcrypto-crack.py|Recover the password of an encrypted Microsoft Office document.|Analyze Documents > Microsoft Office|msoffcrypto-crack.py --help|standard
|
|
msoffcrypto-tool|Decrypt password-protected Microsoft Office documents (OLE and OOXML)|Analyze Documents > Microsoft Office|msoffcrypto-tool -p infected <encrypted.docx> <decrypted.docx>|rich
|
|
msoffice-crypt|Encrypt and decrypt OOXML Microsoft Office documents.|Analyze Documents > Microsoft Office|msoffice-crypt --help|standard
|
|
myip|Determine the IP address of the default network interface.|General Utilities|myip --help|standard
|
|
myjson-filter.py|Filter data formatted using the JSON format used by Didier Stevens' tools.|General Utilities|myjson-filter.py --help|standard
|
|
mynic|(no description available)||mynic --help|basic
|
|
name-that-hash|Identify dfferent types of hashes.|Examine Static Properties > General|name-that-hash --help|standard
|
|
nano|(no description available)||nano --help|basic
|
|
nasm|An x86-64 assembler.|General Utilities|nasm --help|standard
|
|
nautilus|Graphical file manager.|General Utilities|nautilus --help|standard
|
|
nc|Network utility for reading/writing data across TCP/UDP connections|Explore Network Interactions > Connecting|nc -l -p 3127|rich
|
|
ndg-httpsclient|(no description available)||ndg-httpsclient --help|basic
|
|
net-tools|(no description available)||net-tools --help|basic
|
|
networkminer|Passive network traffic analyzer — extracts files, images, credentials from PCAP captures||NetworkMiner --pcap <capture.pcap>|rich
|
|
nginx|Web server.|Explore Network Interactions > Services|nginx --help|standard
|
|
ngrep|Search network traffic for patterns — like grep for packets|Explore Network Interactions > Monitoring|ngrep -I <capture.pcap> 'password'|rich
|
|
nodejs|(no description available)||nodejs --help|basic
|
|
nomorexor|Help guess a file's 256-byte XOR by using frequency analysis.|Examine Static Properties > Deobfuscation|nomorexor --help|standard
|
|
nslookup|DNS query tool for testing name resolution|network-analysis|nslookup domain.com|rich
|
|
nsrllookup|Look up MD5 file hashes in the NIST National Software Reference Library (NSRL).|Gather and Analyze Data|nsrllookup --help|standard
|
|
numbers-to-string.py|Convert sequences of decimal numbers to readable characters|Examine Static Properties > General|oledump.py doc.docm -s A3 -v numbers-to-string.py -j|rich
|
|
objdump|Disassemble binary files.|Statically Analyze Code > General|objdump --help|standard
|
|
objects.js|Emulate common browser and PDF viewer objects, methods, and properties when deobfuscating JavaScript.|Dynamically Reverse-Engineer Code > Scripts|objects.js --help|standard
|
|
oledump.py|Analyze OLE2 files (Office documents), extract streams and VBA macros|Analyze Documents > Microsoft Office|oledump.py document.docm|rich
|
|
olefile|Python package to parse, read and write MS OLE2 files.|Analyze Documents > Microsoft Office|olefile --help|standard
|
|
olevba|Extract and analyze VBA macros from Office documents with deobfuscation|Analyze Documents > Microsoft Office|olevba document.docm|rich
|
|
onedump.py|Extract and analyze embedded files from OneNote documents.|Analyze Documents > Microsoft Office|onedump.py --help|standard
|
|
opencode|Open-source AI coding agent for the terminal.|Use Artificial Intelligence|opencode --help|standard
|
|
openjdk|(no description available)||openjdk --help|basic
|
|
openssh|Initiate and receive SSH and SFTP connections.|General Utilities|openssh --help|standard
|
|
openssl|(no description available)||openssl --help|basic
|
|
origamindee|Parse, modify, generate PDF files.|Analyze Documents > PDF|origamindee --help|standard
|
|
osarch|(no description available)||osarch --help|basic
|
|
pcode2code|Decompile VBA p-code from Office documents — works even when VBA source is removed|Analyze Documents > Microsoft Office|pcode2code <document.docm>|rich
|
|
pcodedmp|Disassemble VBA p-code.|Analyze Documents > Microsoft Office|pcodedmp --help|standard
|
|
pdf-parser.py|Parse PDF structure, locate objects, extract content, and search for strings|Analyze Documents > PDF|pdf-parser.py document.pdf -a|rich
|
|
pdfid.py|Scan PDF files for suspicious keywords like /JavaScript, /OpenAction, /Launch without parsing|Analyze Documents > PDF|pdfid.py document.pdf|rich
|
|
pdfresurrect|Extract and analyze previous versions from PDF files|Analyze Documents > PDF|pdfresurrect document.pdf|rich
|
|
pdftk|Manipulate PDF files — merge, split, flatten, encrypt, and extract embedded content|Analyze Documents > PDF|pdftk input.pdf cat output output.pdf flatten|rich
|
|
pdftool.py|Analyze PDF incremental updates|Analyze Documents > PDF|pdftool.py document.pdf|rich
|
|
pdnstool|Query passive DNS databases for DNS data.|Gather and Analyze Data|pdnstool --help|standard
|
|
pe-tree|(no description available)||pe-tree --help|basic
|
|
pedump|(no description available)||pedump --help|basic
|
|
peepdf|Interactive PDF analysis framework with JavaScript detection and exploitation capabilities|Analyze Documents > PDF|peepdf -i malicious.pdf|rich
|
|
peframe|Static analysis of PE files — extract properties, detect anomalies, identify packers|static-analysis-pe|peframe specimen.exe|rich
|
|
perl|(no description available)||perl --help|basic
|
|
pestr|Extract ASCII and Unicode strings from PE files|static-analysis-pe|pestr specimen.exe|rich
|
|
pev|(no description available)||pev --help|basic
|
|
pgadmin|(no description available)||pgadmin --help|basic
|
|
pip|(no description available)||pip --help|basic
|
|
pkg-config|(no description available)||pkg-config --help|basic
|
|
polarproxy|Transparent TLS proxy that decrypts traffic and saves it as PCAP for analysis in Wireshark|Explore Network Interactions > Monitoring|PolarProxy -p 443,80 -w captured.pcap|rich
|
|
portex|(no description available)||portex --help|basic
|
|
powershell|Run PowerShell scripts and commands.|Dynamically Reverse-Engineer Code > Scripts|powershell --help|standard
|
|
prefer-ipv4|(no description available)||prefer-ipv4 --help|basic
|
|
procyon-decompiler|(no description available)||procyon-decompiler --help|basic
|
|
protobuf|(no description available)||protobuf --help|basic
|
|
pycdc|(no description available)||pycdc --help|basic
|
|
pyelftools|(no description available)||pyelftools --help|basic
|
|
pyinstaller-extractor|Extract contents of a PyInstaller-generated PE files.|Statically Analyze Code > Python|pyinstaller-extractor --help|standard
|
|
pyinstxtractor-ng|Extract contents of PyInstaller-generated executables without needing matching Python version|Statically Analyze Code > Python|pyinstxtractor-ng <packed_exe>|rich
|
|
python-debian|(no description available)||python-debian --help|basic
|
|
python3-cryptography|(no description available)||python3-cryptography --help|basic
|
|
python3-dev|(no description available)||python3-dev --help|basic
|
|
python3-dnspython|(no description available)||python3-dnspython --help|basic
|
|
python3-magic|(no description available)||python3-magic --help|basic
|
|
python3-netifaces|(no description available)||python3-netifaces --help|basic
|
|
python3-numpy|(no description available)||python3-numpy --help|basic
|
|
python3-pil|(no description available)||python3-pil --help|basic
|
|
python3-pip|(no description available)||python3-pip --help|basic
|
|
python3-pyasn1|(no description available)||python3-pyasn1 --help|basic
|
|
python3-pyqt5|(no description available)||python3-pyqt5 --help|basic
|
|
python3-requests|(no description available)||python3-requests --help|basic
|
|
python3-setuptools|(no description available)||python3-setuptools --help|basic
|
|
python3-ssdeep|(no description available)||python3-ssdeep --help|basic
|
|
python3-tk|(no description available)||python3-tk --help|basic
|
|
python3-venv|(no description available)||python3-venv --help|basic
|
|
python3-virtualenv|(no description available)||python3-virtualenv --help|basic
|
|
python3-wheel|(no description available)||python3-wheel --help|basic
|
|
python3|(no description available)||python3 --help|basic
|
|
qiling|Multi-platform binary emulation framework — emulate PE, ELF, shellcode across OS/arch combinations|Statically Analyze Code > General|python3 -c "from qiling import Qiling; ql = Qiling(['<sample>'], '/path/to/rootfs')"|rich
|
|
qpdf|Decrypt, linearize, and transform PDF files — useful for removing password protection|Analyze Documents > PDF|qpdf --decrypt encrypted.pdf output.pdf|rich
|
|
qtbase5-dev|(no description available)||qtbase5-dev --help|basic
|
|
radare2|Open-source reverse engineering command-line framework|Dynamically Reverse-Engineer Code > General|r2 specimen.exe|rich
|
|
rar|Extract RAR archives (including self-extracting RAR payloads)|General Utilities|rar x archive.rar|rich
|
|
re-search.py|Search the file for built-in regular expressions of common suspicious artifacts.|Examine Static Properties > General|re-search.py --help|standard
|
|
redress|Analyze stripped Go binaries to recover symbols, types, source structure, and integrate with Radare2.|Examine Static Properties > Go|redress --help|standard
|
|
refresh|(no description available)||refresh --help|basic
|
|
remnux-mcp-server|MCP server for using the REMnux malware analysis toolkit via AI assistants.|Use Artificial Intelligence|remnux-mcp-server --help|standard
|
|
remnux|(no description available)||remnux --help|basic
|
|
remove-app-icons|(no description available)||remove-app-icons --help|basic
|
|
rhino|(no description available)||rhino --help|basic
|
|
rsakeyfind|(no description available)||rsakeyfind --help|basic
|
|
rtfdump.py|Analyze RTF file structure, identify hex-encoded groups and embedded objects|Analyze Documents > Microsoft Office|rtfdump.py document.rtf|rich
|
|
ruby-dev|(no description available)||ruby-dev --help|basic
|
|
ruby|(no description available)||ruby --help|basic
|
|
runsc32|Execute extracted shellcode for dynamic analysis|Dynamically Reverse-Engineer Code > Shellcode|runsc32 -f shellcode.bin -o 0x3B -d qa.doc|rich
|
|
salt-minion|(no description available)||salt-minion --help|basic
|
|
sandfly-processdecloak|Find hidden processes on the local Linux system.|Investigate System Interactions|sandfly-processdecloak --help|standard
|
|
scalpel|Carve contents out of binary files, such as partitions.|Gather and Analyze Data|scalpel --help|standard
|
|
scdbgc|Shellcode emulator — analyze shellcode behavior through API-level emulation|Dynamically Reverse-Engineer Code > Shellcode|scdbgc /f shellcode.bin /s -1|rich
|
|
scite|Edit text files.|View or Edit Files|scite --help|standard
|
|
sets.py|Perform set operations on lines or bytes in text files.|Examine Static Properties > Deobfuscation|sets.py --help|standard
|
|
sharutils|(no description available)||sharutils --help|basic
|
|
shcode2exe|Convert raw shellcode to a Windows PE executable for analysis in disassemblers|Dynamically Reverse-Engineer Code > Shellcode|shcode2exe <shellcode.bin> <output.exe>|rich
|
|
shellcode2exe-bat|Convert 32 and 64-bit shellcode to a Windows executable file.|Dynamically Reverse-Engineer Code > Shellcode|shellcode2exe-bat --help|standard
|
|
sift|(no description available)||sift --help|basic
|
|
signsrch|Find patterns of common encryption, compression, or encoding algorithms.|Examine Static Properties > General|signsrch --help|standard
|
|
sleuthkit|(no description available)||sleuthkit --help|basic
|
|
snapd|(no description available)||snapd --help|basic
|
|
snap|(no description available)||snap --help|basic
|
|
software-properties-common|(no description available)||software-properties-common --help|basic
|
|
sortcanon.py|Sort text files using canonicalization functions built into this tool.|General Utilities|sortcanon.py --help|standard
|
|
speakeasy|Windows binary emulator — emulates API calls to analyze malware behavior without native execution|Statically Analyze Code > PE Files|speakeasy -t specimen.exe -o report.json 2> report.txt|rich
|
|
ssdeep|Compute fuzzy hashes (CTPH) for finding similar files — useful for malware variant clustering|Examine Static Properties > General|ssdeep <sample>|rich
|
|
ssh|(no description available)||ssh --help|basic
|
|
ssview|Analyze OLE2 Structured Storage files.|Analyze Documents > Microsoft Office|ssview --help|standard
|
|
strace|(no description available)||strace --help|basic
|
|
strdeob.pl|Automatically decode stack-built strings from disassembled malware|Examine Static Properties > Deobfuscation|strdeob.pl specimen.exe|rich
|
|
strings|Extract printable ASCII and Unicode strings from binary files|Examine Static Properties > General|strings binary.exe|rich
|
|
subversion|(no description available)||subversion --help|basic
|
|
sudoers|(no description available)||sudoers --help|basic
|
|
sudo|(no description available)||sudo --help|basic
|
|
tcpdump|Command-line packet capture tool|Explore Network Interactions > Monitoring|tcpdump -i eth0 -w capture.pcap|rich
|
|
tcpflow|Extract and reassemble TCP streams from PCAP files into individual files|Explore Network Interactions > Monitoring|tcpflow -r <capture.pcap> -o output/|rich
|
|
tcpick|Capture and analyze network traffic with this command-line sniffer.|Explore Network Interactions > Monitoring|tcpick --help|standard
|
|
tcpxtract|Carve files from network traffic using file signatures|Explore Network Interactions > Monitoring|tcpxtract -f <capture.pcap> -o output/|rich
|
|
tesseract-ocr|Examine images to identify and extract text using optical character recognition (OCR).|Analyze Documents > General|tesseract-ocr --help|standard
|
|
texteditor.py|Edit text files from the command line using search-and-replace commands.|General Utilities|texteditor.py --help|standard
|
|
thefuzz|Fuzzy String Matching in Python.|Examine Static Properties > General|thefuzz --help|standard
|
|
time-decode|Decode and encode date and timestamps.|Gather and Analyze Data|time-decode --help|standard
|
|
torsocks|Route network traffic through the Tor anonymity network|network-analysis|torsocks curl http://example.onion|rich
|
|
tor|Obfuscate your origins by routing traffic through a network of anonymizing nodes.|Explore Network Interactions > Connecting|tor --help|standard
|
|
translate.py|Transform data using Python expressions (XOR, ADD, etc.)|Examine Static Properties > Deobfuscation|translate.py "byte ^ 35" < input.bin > output.bin|rich
|
|
trid|Identify file type by scanning binary signatures database|Examine Static Properties > General|trid document.doc|rich
|
|
tshark|Command-line interface to Wireshark for packet capture and analysis|Explore Network Interactions > Monitoring|tshark -r capture.pcap|rich
|
|
tzdata|(no description available)||tzdata --help|basic
|
|
ubuntu-universe|(no description available)||ubuntu-universe --help|basic
|
|
ubuntu|(no description available)||ubuntu --help|basic
|
|
uncompyle6|Decompile Python bytecode (.pyc) back to source — supports Python 1.0 through 3.8|Statically Analyze Code > Python|uncompyle6 <file.pyc>|rich
|
|
unhide|Find hidden processes or connections on the local Linux system.|Investigate System Interactions|unhide --help|standard
|
|
unicode|Display Unicode character properties.|Examine Static Properties > Deobfuscation|unicode --help|standard
|
|
unxor|Deobfuscate XOR'ed files.|Examine Static Properties > Deobfuscation|unxor --help|standard
|
|
unzip|Extract ZIP archives containing malware samples|General Utilities|unzip -P infected sample.zip|rich
|
|
user|(no description available)||user --help|basic
|
|
vbindiff|Compare binary files.|View or Edit Files|vbindiff --help|standard
|
|
vim|(no description available)||vim --help|basic
|
|
virustotal-search|Search VirusTotal for file hashes.|Gather and Analyze Data|virustotal-search --help|standard
|
|
virustotal-submit|Submit files to VirusTotal.|Gather and Analyze Data|virustotal-submit --help|standard
|
|
volatility3|Memory forensics framework — analyze RAM dumps to find malware, hidden processes, network connections, and injected code|Perform Memory Forensics|vol3 -f <memory_dump> windows.info|rich
|
|
vscode|(no description available)||vscode --help|basic
|
|
wget|Download files from HTTP/HTTPS/FTP servers|utilities|wget http://example.com/file.bin|rich
|
|
wireshark-dev|(no description available)||wireshark-dev --help|basic
|
|
wxhexeditor|Hex editor.|Examine Static Properties > General|wxhexeditor --help|standard
|
|
xdg-utils|(no description available)||xdg-utils --help|basic
|
|
xmldump.py|Extract contents of XML files, in particular OOXML-formatted Microsoft Office documents.|Analyze Documents > Microsoft Office|xmldump.py --help|standard
|
|
xmlstarlet|(no description available)||xmlstarlet --help|basic
|
|
xor-kpa.py|Implement a XOR known plaintext attack.|Examine Static Properties > Deobfuscation|xor-kpa.py --help|standard
|
|
xorbruteforcer|Bruteforce an XOR-encoded file.|Examine Static Properties > Deobfuscation|xorbruteforcer --help|standard
|
|
xorstrings|Search for XOR encoded strings in a file.|Examine Static Properties > Deobfuscation|xorstrings --help|standard
|
|
xortool|Analyze XOR-encoded data — guess key length and probable key bytes|Examine Static Properties > Deobfuscation|xortool <encoded_file>|rich
|
|
xterm|(no description available)||xterm --help|basic
|
|
xxd|Create hex dump of a file or reverse a hex dump back to binary|utilities|xxd binary.exe|rich
|
|
yara-x|Scan files using YARA rules, the next generation of YARA written in Rust.|Gather and Analyze Data|yara-x --help|standard
|
|
yara|Pattern matching tool for identifying and classifying malware using custom rules|Examine Static Properties > General|yara-rules specimen.bin|rich
|
|
zbar-tools|(no description available)||zbar-tools --help|basic
|
|
zbarimg|Decode QR codes and barcodes from image files.|Explore Network Interactions > Connecting|zbarimg --help|standard
|
|
zipdump.py|Parse and analyze ZIP archive structure|Analyze Documents > Microsoft Office|zipdump.py archive.zip|rich
|
|
zlib1g-dev|(no description available)||zlib1g-dev --help|basic
|