Remnux-A tool for reverse engineering Malware

Few months back i joined a new company and here i started working on this new tool.It is pretty excited.It’s a very handy tool equipped with the tools which helps you to do malware analysis.

I am new to malware analysis so can’t share much but try to share my experience what i have learned till now.

In my day to day work , I come across many Suspicious/Phishing emails which we need to analyse.Spam email is easy to analyse but when it comes to Phishing you definitely need a buddy(Analysis Software/tool) to help you to conclude whether it’s a spam or phishing email.

Remnux include many inbuilt tools to help you.

REMnux Tools
Category Tool Name How to Invoke (Basic Command) Description Package Tool Source/Info
Edit and View Files: Binary VBinDiff vbindiff Compare binary files vbindiff (APT) http://www.cjmweb.net/vbindiff/
Edit and View Files: Binary wxHexEditor wxHexEditor Graphical hex editor wxhexeditor (APT) http://sourceforge.net/projects/wxhexeditor/
Edit and View Files: Documents Xpdf xpdf PDF viewer xpdf (APT) http://www.foolabs.com/xpdf/
Edit and View FIles: Images feh feh Image viewer feh (APT) http://feh.finalrewind.org/
Edit and View Files: Images ImageMagick display Image viewer imagemagick (APT) http://www.imagemagick.org/
Edit and View Files: Text Geany geany Powerful text editor with an integrated developer environment geany (APT) http://www.geany.org/
Edit and View Files: Text SciTE scite Simple, yet powerful text editor scite (APT) http://www.scintilla.org/SciTE.html
Examine Browser Malware: Flash extract_swf extract_swf.py Extract Flash object from files remnux-scripts (APT) https://gist.github.com/noonat/821548
Examine Browser Malware: Flash flare flare Extract and decompile ActionScript from SWF files remnux-flare (APT) http://www.nowrap.de/flare.html
Examine Browser Malware: Flash RABCDAsm rabcdasm, abcexport Examine ActionScript from Flash files remnux-rabcdasm (APT) https://github.com/CyberShadow/RABCDAsm
Examine Browser Malware: Flash SWF Tools swfdump, swfextract, swfstrings, etc. A toolkit for examining, creating and modifying Flash files swftools (APT) http://www.swftools.org/
Examine Browser Malware: Flash xxxswf xxxswf.py Extract Flash objects from other files remnux-scripts (APT) https://bitbucket.org/Alexander_Hanel/xxxswf
Examine Browser Malware: Java CFR cfr Decompile Java class files remnux-cfr (APT) http://www.benf.org/other/cfr/
Examine Browser Malware: Java Jad jad Java Decompiler remnux-jad (APT) http://varaneckas.com/jad
Examine Browser Malware: Java Java Cache IDX Parser idx_parser.py Examine Java IDX files remnux-scripts (APT) https://github.com/Rurik/Java_IDX_Parser/
Examine Browser Malware: Java Java Decompiler jd-gui Decompile Java class files remnux-jd-gui (APT) http://jd.benow.ca/
Examine Browser Malware: JavaScript ExtractScripts extractscripts.py Extract JavaScript scripts from an HTML file remnux-didier (APT) http://blog.didierstevens.com/programs/extractscripts/
Examine Browser Malware: JavaScript Firebug firefox, F12 JavaScript debugger for Firefox get-remnux http://getfirebug.com/
Examine Browser Malware: JavaScript JS Beautifier js-beautify Reformat JavaScript scripts to improve their readability jsbeautifier (PIP) https://github.com/einars/js-beautify
Examine Browser Malware: JavaScript JSDetox jsdetox Decode obfuscated JavaScript remnux/jsdetox (Docker) http://www.relentless-coding.com/projects/jsdetox/
Examine Browser Malware: JavaScript objects.js js -f /usr/share/remnux/objects.js -f malware.js Library of JavaScript objects commonly defined by a browser or a PDF reader remnux-config (APT)
Examine Browser Malware: JavaScript Rhino Debugger rhino-debugger Standalone JavaScript debugger rhino (APT) https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/Debugger
Examine Browser Malware: JavaScript SpiderMonkey js, js-didier JavaScript engine from Mozilla libmozjs-24-bin (APT),
remnux-js-didier (APT) https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey
Examine Browser Malware: JavaScript V8 d8 Command-line shell (d8) for the JavaScript engine from Google (V8) remnux-v8 (APT) https://code.google.com/p/v8/
Examine Browser Malware: Websites Automater cd /opt/remnux-automater && ./Automater.py Look up URL/Domain, IP and MD5 hash details remnux-automater (APT) http://www.tekdefense.com/automater/
Examine Browser Malware: Websites Burp Proxy Free Edition burpsuite Analyze and interact with websites in a controlled manner remnux-burpsuite-free (APT) http://portswigger.net/burp/
Examine Browser Malware: Websites CapTipper cd /opt/remnux-captipper && sudo ./CapTipper.py Examine network traffic and carve PCAP capture files remnux-captipper (apt) https://github.com/omriher/CapTipper
Examine Browser Malware: Websites curl curl Command-line tool for retrieving website contents curl (APT) http://curl.haxx.se/
Examine Browser Malware: Websites Firefox firefox Web browser firefox (APT) http://www.mozilla.org/firefox
Examine Browser Malware: Websites mitmproxy mitmproxy, mitmdump Intercept, modify, replay and save HTTP and HTTPS traffic mitmproxy (PIP) http://mitmproxy.org/
Examine Browser Malware: Websites Network Miner Free Edition NetworkMiner Examine network traffic and carve PCAP capture files remnux-network-miner (APT) http://www.netresec.com/?page=NetworkMiner
Examine Browser Malware: Websites pdns passive.py Perform passive DNS lookups remnux-python-pdns (APT)
Examine Browser Malware: Websites pdnstool pdnstool Perform passive DNS lookups passivedns-client (Gem) https://github.com/chrislee35/passivedns-client
Examine Browser Malware: Websites QuickJava firefox, QJ button Toggle Firefox’ support for risky web contents get-remnux https://addons.mozilla.org/en-US/firefox/addon/quickjava/
Examine Browser Malware: Websites tcpflow tcpflow Examine network traffic and carve PCAP capture files tcpflow (APT) https://github.com/simsong/tcpflow
Examine Browser Malware: Websites tcpxtract tcpxtract Extract files from network traffic tcpxtract (APT) http://tcpxtract.sourceforge.net/
Examine Browser Malware: Websites Thug thug.py Honeyclient for investigating suspicios websites remnux-thug (APT) https://github.com/buffer/thug
Examine Browser Malware: Websites Tor tor start Tools for directing network traffic through anonymizing proxies tor (APT)
torsocks (APT) https://www.torproject.org/
Examine Browser Malware: Websites Wget wget Command-line tool for retrieving website contents wget (APT) https://www.gnu.org/software/wget/
Examine Document Files: Microsoft Office emldump emldump.py Examine suspicious MIME files remnux-didier (APT) https://isc.sans.edu/diary/Malicious+Word+Document+This+Time+The+Maldoc+Is+A+MIME+File/19673/
Examine Document Files: Microsoft Office libolecf olecfexport, olecfinfo, olecfmount Analyze OLE2 files libolecf-tools (APT) https://github.com/libyal/libolecf
Examine Document Files: Microsoft Office officeparser officeparser.py Extract embedded files and macros from office documents remnux-scripts (APT) https://github.com/unixfreak0037/officeparser
Examine Document Files: Microsoft Office oledump oledump.py Examine suspicious Microsoft Office files remnux-didier (APT) http://blog.didierstevens.com/programs/oledump-py/
Examine Document Files: Microsoft Office oletools olevba, olebrowse, oletimes, rtfobj, pyxswf, etc. Analyze OLE2 files remnux-oletools (APT) http://www.decalage.info/python/oletools
Examine Document Files: Microsoft Office pyOLEScanner.py pyOLEScanner.py Examine suspicious Microsoft Office files remnux-scripts (APT) https://github.com/Evilcry/PythonScripts/raw/master/
Examine Document Files: PDF AnalyzePDF AnalyzePDF.py Examine a malicious PDF file remnux-scripts (APT) https://github.com/hiddenillusion/AnalyzePDF
Examine Document Files: PDF Origami pdfwalker, pdfextract, pdfcop, etc. Framework for examining, creating and modifying PDF files origami (Gem) https://code.google.com/p/origami-pdf/
Examine Document Files: PDF PDF X-RAY Lite pdfxray_lite.py Examine the PDF document structure and contents remnux-pdfxray-lite (APT) https://github.com/9b/pdfxray_lite
Examine Document Files: PDF pdfid pdfid Locate common suspicious artifacts in a PDF file remnux-didier (APT) http://blog.didierstevens.com/programs/pdf-tools/
Examine Document Files: PDF Pdfobjflow pdf-parser.py | pdfobjflow.py Visualizes the output from pdf-parser remnux-scripts (APT) http://www.aldeid.com/wiki/Pdfobjflow
Examine Document Files: PDF pdf-parser pdf-parser.py Examine a suspicious PDF file remnux-didier (APT) http://blog.didierstevens.com/programs/pdf-tools/
Examine Document Files: PDF PDFtk pdftk Edit PDF files pdftk (APT) http://www.pdflabs.com/tools/pdftk-the-pdf-toolkit/
Examine Document Files: PDF peepdf peepdf Analyze suspicious PDF files remnux-peepdf (APT) http://eternal-todo.com/tools/peepdf-pdf-analysis-tool#releases
Examine Document Files: PDF swf_mastah swf_mastah Extract Flash SWF objects from PDF files remnux-pdfxray-lite (APT) http://blog.9bplus.com/snatching-swf-from-pdfs-made-easier/
Examine Document Files: Shellcode dism-this dism-this.py Analyze disassembled data within file objects remnux-scripts (APT) http://hooked-on-mnemonics.blogspot.com/2012/10/dism-thispy.html
Examine Document Files: Shellcode sctest sctest Emulate shellcode execution libemu2 (APT) http://libemu.carnivore.it/
Examine Document Files: Shellcode shellcode2exe.py shellcode2exe.py Create a Windows executable file out of shellcode remnux-scripts (APT) https://github.com/MarioVilas/shellcode_tools/blob/master/shellcode2exe.py
Examine Document Files: Shellcode unicode2hex-escaped unicode2hex-escaped Clean up and convert Unicode to hex remnux-config (APT)
Examine Document Files: Shellcode unicode2raw unicode2raw Clean up and convert Unicode to raw remnux-config (APT)
Examine FIle Properties and Contents: Define Autorule autorule.py Automatically define Yara signatures for a set of files remnux-scripts (APT) http://joxeankoret.com/blog/2012/04/29/extracting-binary-patterns-in-malware-sets-and-generating-yara-rules/
Examine FIle Properties and Contents: Define IOCextractor IOCextractor.py Extract IOCs from a text report file remnux-scripts (APT) https://github.com/stephenbrannon/IOCextractor
Examine FIle Properties and Contents: Define Rule Editor rule-editor Edit IOC Yara, Snort and OpenIOC rules remnux-rule-editor (APT) https://github.com/ifontarensky/RuleEditor
Examine FIle Properties and Contents: Define YaraGenerator yaraGenerator.py Generate Yara rules for designated files remnux-scripts (APT) https://github.com/Xen0ph0n/YaraGenerator
Examine File Properties and Contents: Hashes Hash Identifier hash_id Identify the different types of hashes used to encrypt data and especially passwords remnux-scripts (APT) https://code.google.com/p/hash-identifier/
Examine File Properties and Contents: Hashes nsrllookup nsrllookup Look up file hashes on an NSRL database server remnux-nsrllookup (APT) https://github.com/rjhansen/nsrllookup
Examine File Properties and Contents: Hashes ssdeep ssdeep Define and scan for a “fuzzy” signature of a file ssdeep (APT) http://ssdeep.sourceforge.net/
Examine File Properties and Contents: Hashes totalhash totalhash.py Look up a suspicious file hash in the totalhash.com database remnux-scripts (APT) https://gist.github.com/malc0de/10270150
Examine File Properties and Contents: Hashes virustotal-search virustotal-search.py Look up a suspicious file hash in the virustotal.com database remnux-didier (APT) http://blog.didierstevens.com/programs/virustotal-tools/
Examine File Properties and Contents: Scan ClamAV clamscan Clam antivirus engine clamav-daemon (APT) http://www.clamav.net/
Examine file properties and contents: Scan Disitool disitool.py Manipulate digital signatures of Windows executables remnux-didier (APT) http://blog.didierstevens.com/programs/disitool/
Examine File Properties and Contents: Scan ExifTool exiftool Extract file properties libimage-exiftool-perl (APT) http://www.sno.phy.queensu.ca/~phil/exiftool/
Examine File Properties and Contents: Scan TrID trid, tridupdate Identify file types remnux-trid (APT) http://mark0.net/soft-trid-e.html
Examine File Properties and Contents: Scan virustotal-submit virustotal-submit.py Submit samples to VirusTotal remnux-didier (APT) http://blog.didierstevens.com/programs/virustotal-tools/
Examine File Properties and Contents: Scan Yara yara Identify and classify malware samples yara (APT) http://plusvic.github.io/yara/
Examine Memory Snapshots AESKeyFinder aeskeyfind Locate embedded AES keys aeskeyfind (APT)
Examine Memory Snapshots findaes findaes Locate embedded AES keys remnux-findaes (APT) http://jessekornblum.livejournal.com/269749.html
Examine Memory Snapshots Rekall rekall Memory forensics tool and framework rekall (PIP) http://www.rekall-forensic.com/
Examine Memory Snapshots RSAKeyFinder rsakeyfind Locate embedded RSA keys rsakeyfind (APT)
Examine Memory Snapshots Volatility Framework vol.py Memory forensics tool and framework python-volatility (APT) https://github.com/volatilityfoundation/volatility
Examine Memory Snapshots VolDiff VolDiff.sh Spot changes in memory images using Volatility remnux-scripts (APT) https://github.com/aim4r/VolDiff
Extract and Decode Artifacts: Carving bulk_extractor bulk_extractor, then BBViewer Scan a disk image, a file, or a directory of files and extracts useful information bulk-extractor (APT) https://github.com/simsong/bulk_extractor/
Extract and Decode Artifacts: Carving Foremost foremost Carve contents of files foremost (APT) http://foremost.sourceforge.net/
Extract and Decode Artifacts: Carving Hachoir hachoir-subfile, hachoir-metadata, hachoir-urwid View, edit and carve contents of various binary file types python-hachoir-* (APT) https://bitbucket.org/haypo/hachoir
Extract and Decode Artifacts: Carving pe-carv.py pe-carv.py Carve out PE files remnux-scripts (APT) http://hooked-on-mnemonics.blogspot.com/2013/03/pe-carvpy-ascii-hex-and-overlays.html
Extract and Decode Artifacts: Carving Scalpel scalpel Carve contents of files scalpel (APT) http://www.forensicswiki.org/wiki/Scalpel
Extract and Decode Artifacts: Deobfuscate Balbuzard balbuzard.py
bbcrack.py
bbharvest.py
bbtrans.py Extract and decode suspicious patterns from malicious files remnux-balbuzard (APT) https://bitbucket.org/decalage/balbuzard/wiki/Home
Extract and Decode Artifacts: Deobfuscate brutexor/iheartxor brutexor.py Bruteforce all possible 1-byte XOR key values and examine the file for strings that might have been encoded with these keys remnux-scripts (APT) http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html
Extract and Decode Artifacts: Deobfuscate ex_pe_xor ex_pe_xor.py Carve out single-byte XOR encoded executables from files remnux-scripts (APT) http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html
Extract and Decode Artifacts: Deobfuscate NoMoreXOR NoMoreXOR.py Guess 256-byte XOR keys by using frequency analysis remnux-scripts (APT) https://github.com/hiddenillusion/NoMoreXOR
Extract and Decode Artifacts: Deobfuscate unXOR unxor.py Guess a XOR key via known-plaintext attacks remnux-scripts (APT) https://github.com/tomchop/unxor/
Extract and Decode Artifacts: Deobfuscate XORBruteForcer xorBruteForcer.py implements a XOR bruteforcing of a given file remnux-scripts (APT) http://eternal-todo.com/category/bruteforce
Extract and Decode Artifacts: Deobfuscate XORSearch xorsearch Locate and decode strings obfuscated using common techniques remnux-didier (APT) http://blog.didierstevens.com/programs/xorsearch/
Extract and Decode Artifacts: Deobfuscate XORStrings xorstrings Locate and decode XOR-obfuscated strings remnux-didier (APT) http://blog.didierstevens.com/2013/04/15/new-tool-xorstrings/
Extract and Decode Artifacts: Deobfuscate xortool xortool
xortool-xor Locate and deobuscate contents encoded using a multi-byte XOR cipher xortool (PIP) https://github.com/hellman/xortool
Extract and Decode Artifacts: Extract Strings pestr pestr Extract strings from a PE file remnux-pev (APT) http://pev.sourceforge.net/
Extract and Decode Artifacts: Extract Strings strdeobj strdeobj.pl Extract and decode strings defined as arrays remnux-scripts (APT) http://totalhash.com/download/strdeob.pl.txt
Investigate Linux Malware: Debug Evan’s Debugger (EDB) edb Debug EFL binary files remnux-edb-debugger (APT) http://codef00.com/projects#debugger
Investigate Linux Malware: Debug GDB gdb A powerful debugger gdb-minimal (APT) http://www.sourceware.org/gdb/
Investigate Linux Malware: Investigate m2elf m2elf.pl Create an ELF binary file out of shellcode remnux-scripts (APT) https://github.com/XlogicX/m2elf
Investigate Linux Malware: System Sysdig sysdig Track and examine local system activities on a Linux system sysdig (APT) http://www.sysdig.org/
Investigate Linux Malware: System Unhide unhide Find local hidden processes or connections on a Linux system unhide (APT) http://www.unhide-forensics.info/
Investigate Linux Malware: Trace ltrace ltrace Trace library calls ltrace (APT) http://ltrace.org/
Investigate Linux Malware: Trace strace strace Trace system calls and signals strace (APT) http://sourceforge.net/projects/strace/
Investigate Mobile Malware AndroGuard androlyze.py, androdiff.py, androrisk.py, apkviewer.py, etc. Analyze Android applications remnux-androguard (APT) https://github.com/androguard/androguard
Investigate Mobile Malware Androwarn cd /opt/remnux-androwarn && ./androwarn.py Android static code analyzer remnux-androwarn (APT) https://github.com/maaaaz/androwarn
Library Capstone from capstone import * Multi-architecture disassembly framework python-capstone (APT) http://www.capstone-engine.org/
Library Cybox import cybox Python library for parsing, manipulating, and generating CybOX content cybox (PIP) https://github.com/CybOXProject/python-cybox
Library Disass from disass.Disass32 import Disass32 Binary analysis library for Python https://bitbucket.org/cybertools/disass
Library diStorm3 import distorm3 Library for disassembling binary files distorm3 (PIP),
libdistorm64-1 (APT) https://code.google.com/p/distorm/
Library IOC Writer from ioc_writer import… Python library for creating and editing OpenIOC objects remnux-ioc-writer https://github.com/mandiant/ioc_writer
Library Javassist Import /usr/share/java/javassist.jar Analyze Java bytecode libjavassist-java (APT) http://www.javassist.org
Library OfficeDissector import officedissector Examine suspicious Microsoft Office XML-based files remnux-officedissector (APT) https://github.com/grierforensics/officedissector
Library olefile import olefile Python library to read/write MS OLE2 files olefile (PIP) http://www.decalage.info/olefile
Library pefile import pefile A library for examining PE file contents remnux-pefile (APT) https://code.google.com/p/pefile/
Library pyexiftool import exiftool Python wrapper library for the ExifTool remnux-pyexiftool (APT) http://smarnach.github.io/pyexiftool/
Library pylibemu import pylibemu Library for accessing Libemu functionality remnux-pylibemu (APT) https://github.com/buffer/pylibemu
Library pyssdeep from ssdeep import ssdeep Python wrapper library for the ssdeep tool remnux-python-ssdeep (APT) https://code.google.com/p/pyssdeep/
Library PyV8 import PyV8 Python wrapper library for the Google V8 engine remnux-pyv8 (APT) https://code.google.com/p/pyv8/
Library xortools from xortools import rolling_xor Library for decoding XOR-obfuscated contents remnux-scripts (APT) https://github.com/hiddenillusion/yara-goodies/blob/master/xortools.py
Library Yara Library import yara Python library to identify and classify malware samples libyara3, python-yara, libyara-dev (APT) http://plusvic.github.io/yara/
Library Yara Rules yara /opt/remnux-rules/ … Rules/signatures for spotting malicious characteristics in files remnux-rules (APT) https://github.com/Yara-Rules/rules
Network: Misc. EPIC IRC Client irc IRC client epic5 (APT) http://www.epicsol.org/
Network: Misc. Netcat nc Flexible network client and server netcat (APT) http://netcat.sourceforge.net/
Network: Misc. prettyping.sh pping Ping a host while looking pretty remnux-scripts (APT) https://bitbucket.org/denilsonsa/small_scripts/src/3ec16014c839ea0852fae492813ad2293bd61155/prettyping.sh
Network: Misc. set-static-ip set-static-ip Temporarily assign a static IP remnux-config (APT)
Network: Misc. stunnel stunnel SSL encryption wrapper stunnel (APT) https://www.stunnel.org/
Network: Services accept-all-ips accept-all-ips Accept and redirect network traffic to all IPs remnux-scripts (APT)
Network: Services FakeDNS fakedns Respond to DNS queries with a specified IP address remnux-scripts (APT) http://code.activestate.com/recipes/491264-mini-fake-dns-server/
Network: Services fakeMail fakemail Fake mail server that captures emails messages sent through it without retransmitting them remnux-scripts (APT) http://sourceforge.net/projects/fakemail/
Network: Services INetSim inetsim Emulate common network services inetsim (APT) http://www.inetsim.org/
Network: Services Inspire IRCd ircd start IRC server inspircd (APT) http://www.inspircd.org/
Network: Services Nginx httpd start A web server nginx (APT) http://nginx.org/
Network: Services OpenSSH sshd start SSH server openssh-server (APT) http://www.openssh.com/
Network: Sniffing ngrep ngrep Sniff the network while looking for patterns that match the specified regular expressions ngrep (APT) http://ngrep.sourceforge.net/
Network: Sniffing TCPDump tcpdump Command-line network sniffer tcpdump (APT) http://www.tcpdump.org/
Network: Sniffing tcpick tcpick Sniffer that reassembles TCP streams tcpick (APT) http://tcpick.sourceforge.net/
Network: Sniffing Wireshark wireshark Network sniffer wireshark (APT) http://www.wireshark.org/
Other tasks bashacks See “man bashacks” Useful Bash shell functions remnux-bashacks (APT) https://github.com/merces/bashacks
Other tasks Docker docker, docker-update-images Run applications as isolated containers on the local host docker.io (APT) http://www.docker.com/
Other tasks ProcDOT procdot Visualize and examine the output of Process Monitor and network sniffer logs remnux-procdot (APT) http://www.procdot.com/
Other tasks REMnux Updater update-remnux Update or upgrade the REMnux distro on the local host remnux-scripts (APT) https://REMnux.org
Other tasks vtTool vtTool.py Determine malware name by querying VirusTotal remnux-vttool (APT) https://code.google.com/p/malware-crawler/wiki/vtTool
Process Multiple Samples Maltrieve maltrieve Retrieve malware from malicious sites remnux/maltrieve (Docker) https://github.com/technoskald/maltrieve
Process Multiple Samples MASTIFF mas Perform static analysis of suspicious files remnux-mastiff (APT) https://git.korelogic.com/mastiff.git/
Process Multiple Samples Ragpicker cd /opt/remnux-ragpicker && ./ragpicker.py Plugin based malware crawler and downloader with pre-analysis and reporting functionalities remnux-ragpicker (APT) https://code.google.com/p/malware-crawler/
Process Multiple Samples Viper viper Store, classify and investigate suspicious binary files remnux-viper (APT) https://github.com/botherder/viper
Process Multiple Samples WIPSTER Installer install-wipster Install web interface for MASTIFF and other tools remnux-scripts (APT) https://github.com/TheDr1ver/WIPSTER
Statically Examine PE files: Disassemble

Investigate Linux Malware: Disassemble objdump objdump Disassemble binary files binutils (APT) http://en.wikipedia.org/wiki/Objdump
Statically Examine PE files: Disassemble

Investigate Linux Malware: Disassemble Udis86 udcli Disassemble binary files remnux-udis86 (APT) http://udis86.sourceforge.net/
Statically Examine PE files: Disassemble

Investigate Linux Malware: Disassemble Vivisect vivbin, vdbbin Statically examine and emulate binary files remnux-vivisect (APT) http://visi.kenshoto.com/viki/Vivisect
Statically Examine PE files: Find Anomalies ExeScan exescan.py Statically examine a PE file and detect suspicious characteristics remnux-scripts (APT) http://securityxploded.com/exe-scan.php
Statically Examine PE files: Find Anomalies pedump pedump Statically examine a PE file pedump (Gem) http://pedump.me/
Statically Examine PE files: Find Anomalies Peframe peframe Statically Examine PE files remnux-peframe (APT) https://github.com/guelfoweb/peframe
Statically Examine PE files: Find Anomalies pescanner pescanner Statically examine a PE file remnux-scripts (APT) https://code.google.com/p/malwarecookbook/source/browse/trunk/3/8/pescanner.py
Statically Examine PE files: Find Anomalies pev pepack, pescan, pestr, pehash, readpe, etc. PE file analysis toolkit remnux-pev (APT) http://pev.sourceforge.net/
Statically Examine PE files: Find Anomalies Signsrch signsrch Locate common code patterns remnux-signsrch (APT) http://aluigi.altervista.org/mytoolz.htm
Statically Examine PE files: Investigate RATDecoders See /opt/remnux-ratdecoders Extract and decode configuration details from common RAT samples remnux-ratdecoders (APT) https://github.com/kevthehermit/RATDecoders
Statically Examine PE files: Investigate readpe.py readpe.py Extract contents of PE file headers remnux-pype32 (APT) https://github.com/crackinglandia/pype32
Statically Examine PE files: Investigate
Investigate Linux Malware: Investigate Bokken bokken Interactive static malware analysis tool remnux-bokken (APT) https://inguma.eu/projects/bokken
Statically Examine PE files: Investigate
Investigate Linux Malware: Investigate Pyew pyew Statically examine suspicious files pyew (APT) https://code.google.com/p/pyew/
Statically Examine PE files: Investigate
Investigate Linux Malware: Investigate
Edit and View Files: Binary Radare 2 radare2 Framework for examining binary files radare2 (APT) https://github.com/radare/radare2
Statically Examine PE files: Unpacking Bytehist bytehist Generate byte-usage-histograms for all types of files with a focus PE files remnux-bytehist (APT) https://www.cert.at/downloads/software/bytehist_en.html
Statically Examine PE files: Unpacking Density Scout densityscout Calculates density (like entropy) of files in the specified location, useful for finding packed programs remnux-densityscout (APT) http://www.cert.at/downloads/software/densityscout_en.html
Statically Examine PE files: Unpacking PackerID packerid Help determine which packer was used to protect a PE file remnux-scripts (APT) https://github.com/sooshie/packerid
Statically Examine PE files: Unpacking UPX upx A popular tool for packing and unpacking executable files upx-ucl (APT) http://upx.sourceforge.net/

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s