REMnux - A Linux Toolkit For Reverse-Engineering & Malware Analysis

REMnux - A Linux Toolkit For Reverse-Engineering & Malware Analysis

REMnux is a free Ubuntu-based Linux distribution designed for reverse engineering and malware analysis.

It is equipped with a lot of tools, the majority of them are listed below.
  • Thug: It is a Python low-interaction honeyclient aimed at mimicking the behavior of a web browser in order to detect and emulate malicious contents.
  • mitmproxy: It is a console tool that allows interactive examination and modification of HTTP traffic.
  • Network Miner Free Edition: It is a Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD).
  • curl: A tool to transfer data from or to a server, using one of the supported protocols (DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET and TFTP).
  • Wget: A free software package for retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols.
  • Burp Proxy Free Edition: A toolkit for web application security testing.
  • Automater: It is a URL/Domain, IP Address, and Md5 Hash open-source intelligence (OSINT) tool aimed at making the analysis process easier for intrusion Analysts. 
  • pdnstool: A tool for querying passive DNS providers.
  • Tor:  It is free software for enabling anonymous communication.
  • tcpextract: A tool for extracting files from network traffic based on file signatures.
  • tcpflow: It is a tool for understanding network packet flows and performing network forensics.
  • passive.py: A passive DNS tool (Virustotal + Mnemonic version).
  • CapTipper: A python tool to analyse, explore and revive HTTP malicious traffic.
  • yaraPcap.py: Yara Scanner For IMAP Feeds and saved Streams.
  • xxxswf: It is a Python script for carving, scanning, compressing, decompressing and analyzing Flash SWF files.
  • SWF Tools: It is a collection of utilities for working with Adobe Flash files (SWF files). The tool collection includes programs for reading SWF files, combining them, and creating them from other content (like images, sound files, videos or source code).
  • RABCDAsm: It is a collection of utilities including an ActionScript 3 assembler/disassembler, and a few tools to manipulate SWF files.
  • extract_swf: Tool to extract potential SWF files from projector binaries.
  • Flare: It is a free ActionScript decompiler.
  • Java Cache IDX Parser: It parses Java Cache IDX files.
  • JD-GUI Java Decompiler: It is a standalone graphical utility that displays Java source codes of ".class" files.
  • JAD Java Decompiler: A program that reads one or more Java class files and converts them into Java source files.
  • Javassist: It is a class library for editing bytecodes in Java; it enables Java programs to define a new class at runtime and to modify a class file when the JVM loads it.
  • CFR: Another Java decompiler.
  • Rhino Debugger:  A GUI that allows debugging of interpreted JavaScript scripts run in Rhino.
  • ExtractScripts:  It allows you to extract (potentially) malicious scripts from a webpage.
  • SpiderMonkey: It is Mozilla's JavaScript engine written in C and C++.
  • V8: Google's open source high-performance JavaScript engine, written in C++.
  • JS Beautifier: It allows you to beautify, unpack or deobfuscate JavaScript.
  • AnalyzePDF: Analyzes PDF files by looking at their characteristics.
  • Pdfobjflow: This program is meant to be used with pdf-parser from Didier Stevens. It reads the output from pdf-parser and creates the map of the objects flows under the form of a DOT file.
  • pdfid: It can scan a file to look for certain PDF keywords, allowing you to identify PDF documents that contain (for example) JavaScript or execute an action when opened.
  • pdf-parser: A tool to parse PDF files and identify fundamental elements.
  • peepdf: A Python tool to explore PDF files in order to find out if the file can be harmful or not.
  • Origami: A Ruby framework designed to parse, analyze, and forge PDF documents.
  • PDF X-RAY Lite: The lite version of PDF X-RAY that uses no backend.
  • PDFtk: Tool for quickly merging and splitting PDF documents and pages.
  • swf_mastah: It allows you to snatch SWFs from PDF files.
  • qpdf: It is a command-line program that does structural, content-preserving transformations on PDF files.
  • pdfresurrect: It is a tool aimed at analyzing PDF documents.
  • officeparser: A python script that parses the format of OLE compound documents used by Microsoft Office applications.
  • pyOLEScanner.py: It examines an Office document and looks for specific instances of malicious code.
  • oletools: It is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging.
  • libolecf: It is a library to access the OLE 2 Compound File (OLECF) format.
  • oledump: It is a program to analyze OLE files (Compound File Binary Format). These files contain streams of data. oledump allows you to analyze these streams.
  • emldump: It is a python script to analyze MIME files.
  • MSGConvert: A .MSG to mbox converter.
  • base64dump.py: It is a program that extracts and decodes base64 strings found inside the provided file.
  • Unicode: It displays Unicode character properties.
  • sctest:  Useful when testing new features.
  • unicode2hex-escaped: Converts Unicode encoded strings to hex.
  • unicode2raw: Converts Unicode encoded strings to raw.
  • dism-this: A Python script for analyzing disassembled data within file objects.
  • shellcode2exe: A shellcode to executable converter.
  • unXOR: This tool will search through an XOR-encoded file (binary, text-file, whatever) and use known-plain-text attacks to deduce the original keystream. Works on keys half as long as the known-plain-text, in linear complexity.
  • XORStrings: It will search for strings in the (binary) file you provide it, using the same encodings as XORSearch (XOR, ROL, ROT and SHIFT).
  • ex_pe_xor: It detects single byte xor encoding by searching for the encoded MZ, lfanew and PE, then XORs the data and uses pefile to extract the decoded executable.
  • XORSearch: A program to search for a given string in an XOR, ROL, ROT or SHIFT encoded binary file.
  • brxor.py: A tool for bruteforcing encoded strings within a boundary defined by a regular expression.
  • xortool: A tool to analyze multi-byte xor cipher.
  • NoMoreXOR: Tool to help guess files 256 byte XOR key by using frequency analysis.
  • XORBruteForcer: A script that implements a XOR bruteforcing of a given file, although a specific key can be used too. It's possible to look for a word in the XORed result, minimizing the output.
  • Balbuzard:  A package of malware analysis tools in Python to extract patterns of interest from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns.
  • FLOSS: The FireEye Labs Obfuscated String Solver (FLOSS) is a program that can deobfuscate strings from malware binaries by using advanced static analysis techniques.
  • strdeobj: Extract and decode strings defined as arrays.
  • pestr: It is a multiplatform toolkit to work with PE (Portable Executable) binaries. Its main goal is to provide a feature-rich tool for proper analyze binaries, especially suspicious ones.
  • strings: It is a program that finds and prints text strings embedded in binary files such as executables.
  • Foremost: A console program to recover files based on their headers, footers, and internal data structures.
  • Scalpel: An open source program for recovering deleted data originally based on Foremost, although significantly more efficient.
  • bulk_extractor: A computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
  • Hachoir: A Python library to view and edit a binary stream field by field. In other words, Hachoir allows you to "browse" any binary stream just like you browse directories and files.
  • Wireshark: It is the world's foremost network protocol analyzer. It lets you see what's happening on your network at a microscopic level.
  • ngrep: It is a network packet analyzer that relies upon the pcap library and the GNU regex library.
  • TCPDump: A powerful command-line packet analyzer.
  • tcpick: It is a textmode sniffer libpcap-based that can track, reassemble and reorder TCP streams. Tcpick is able to save the captured flows in different files or displays them in the terminal, and so it is useful to sniff files that are transmitted via FTP or HTTP.
  • FakeDNS: A regular-expression based python MITM DNS server with support for DNS Rebinding attacks.
  • Nginx: It is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server.
  • fakeMail: Captures e-mails as files for acceptance testing. This avoids the excessive configuration of setting up a real mail server and trying to extract mail queue content
  • Honeyd: A small daemon that creates virtual hosts on a network.
  • INetSim: A software suite for simulating common internet services in a lab environment, e.g. for analyzing the network behavior of unknown malware samples.
  • Inspire IRCd: A modular Internet Relay Chat (IRC) server written in C++ for Linux, BSD, Windows and Mac OS X systems.
  • OpenSSH: It is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.
  • accept-all-ips: This is a bash shell script that is capable of redirecting all network traffic destined for IP addresses.
  • prettyping.sh: A wrapper around the standard ping tool with the objective of making the output prettier, more colorful, more compact, and easier to read.
  • set-static-ip: Allows you to temporarily assign a static IP.
  • renew-dhcp: Allows you to renew a DHCP Lease.
  • Netcat: A featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.
  • EPIC IRC Client: An IRC client that has been under active development for 20+ years in 5 generations. It is stable and mature, and offers an excellent ircII interface for those of us who are accustomed to the ircII way of doing things.
  • Stunnel: A proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code. Its architecture is optimized for security, portability, and scalability (including load-balancing), making it suitable for large deployments.
  • Just-Metadata: A tool that gathers and analyzes metadata about IP addresses.
  • Maltrieve: A tool to retrieve malware directly from the source.
  • Ragpicker: A plugin based malware crawler with pre-analysis and reporting functionalities.
  • Viper: A binary analysis and management framework.
  • MASTIFF: A static analysis framework that automates the process of extracting key characteristics from a number of different file formats.
  • Density Scout: This tool calculates density (like entropy) for files of any file-system-path to finally output an accordingly descending ordered list.
  • YaraGenerator: An open-source toolset which allows for quick, effective, and automatic YARA signature creation from a number of malicious filetypesi (Executables, Office, PDF, Java, HTML, and more).
  • IOCextractor: A program to help extract IOCs (Indicator of Compromise) from text files.
  • Autorule: Tool for extracting binary patterns in malware sets and generating Yara rules.
  • Rule Editor
  • ioc-parser: It is a tool to extract indicators of compromise from security reports in PDF format.
  • Yara:  A tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.
  • ClamAV: An open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
  • TrID: An utility designed to identify file types from their binary signatures.
  • ExifTool: A platform-independent command-line application for reading, writing and editing meta information in a wide variety of files.
  • virustotal-submit: It is a Python program to submit files to VirusTotal.
  • Disitool: A small Python program to manipulate embedded digital signatures.
  • nsrllookup: It is a command-line tool that allows you to quickly and efficiently triage files by MD5 hashes.
  • Hash Identifier: A program to identify the different types of hashes used to encrypt data and especially passwords.
  • totalhash: A python script to interface with totalhash.com.
  • ssdeep: A program for computing context triggered piecewise hashes (CTPH).
  • virustotal-search: A python program to search VirusTotal for hashes.
  • VirusTotalApi: VirusTotal full API.
  • Sysdig: It is the first container-native Docker monitoring solution that combines container visibility with Swarm, Mesos, and Kubernetes monitoring intelligence.
  • Unhide: A forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.
  • Vivisect: It is a Python based static analysis and emulation framework.
  • Udis86: A disassembler library for the x86 architecture which allows you to decode a stream of bytes as x86 instructions, inspect various bits of information about them, and even translate to human readable assembly language form.
  • objdump: A program for displaying various information about object files.
  • Evan’s Debugger (EDB): A cross platform x86/x86-64 debugger.
  • GNU Project Debugger (GDB): It allows you to see what is going on 'inside' another program while it executes -- or what another program was doing at the moment it crashed.
  • strace: A diagnostic, debugging and instructional userspace tracer for Linux.
  • ltrace: A program that simply runs the specified command until it exits. It intercepts and records the dynamic library calls which are called by the executed process and the signals which are received by that process. It can also intercept and print the system calls executed by the program.
  • Radare2: A portable framework for reverse engineering and analyzing binaries.
  • Pyew: A python tool to analyse malware.
  • Bokken: A GUI for the Pyew malware analysis tool and Radare the reverse engineering framework.
  • m2elf: Converts Machine Code to x86 (32-bit) Linux executable (auto-wrapping with ELF headers).
  • ELF Parser: Tool for quickly determining the capabilities of an ELF binary through static analysis. It allows you to discover if the binary is known malware or a possible threat without ever executing the file.
  • SciTE:  A SCIntilla based text editor.
  • Geany: Geany is a lightweight GUI text editor using Scintilla and GTK+, including basic IDE features.
  • Vim: A highly configurable text editor built to make creating and changing any kind of text very efficient.
  • feh: An X11 image viewer aimed mostly at console users.
  • ImageMagick: A software suite to create, edit, compose, or convert bitmap images.
  • wxHexEditor: A hex editor that supports files up to 2^64 bytes.
  • VBinDiff: It displays files in hexadecimal and ASCII (or EBCDIC). It can also display two files at once, and highlight the differences between them. 
  • Xpdf: An open source viewer for Portable Document Format (PDF) files.
  • Volatility Framework: An advanced memory forensics framework.
  • findaes: A small utility to search for AES keys.
  • AESKeyFinder: A tool for finding and reconstructing AES keys.
  • RSAKeyFinder: A tool for locating RSA private and public keys.
  • VolDiff: A python script that leverages the Volatility framework to identify malware threats on Windows memory images.
  • Rekall: It is an advanced Memory Analysis framework.
  • linux_mem_diff_tool: A script to perform Linux memory diff analysis using Volatility.
  • UPX: A free, portable, extendable, high-performance executable packer for several executable formats.
  • Bytehist: A tool for generating byte-usage-histograms for all types of files with a special focus on binary executables in PE-format.
  • PackerID: A python based script written by Jim Clausing to help identifying what eventual packer is used in an executable file.
  • Signsrch: A tool for searching signatures inside files, extremely useful in reversing engineering for figuring or having an initial idea of what encryption/compression algorithm is used for a proprietary protocol or file.
  • pescanner: A PE analyzer written in python.
  • ExeScan: PE file anomaly detector.
  • Peframe: An open source tool for performing static analysis on (portable executables) malwares.
  • pedump: A pure ruby implementation of win32 PE binary files dumper.
  • RATDecoders: Python decoders for common Remote Access Trojans (RATs).
  • readpe.py: A python library to read and write PE/PE+ files.
  • PyInstaller Extractor: A tool to extract the contents of a windows executable file created by pyinstaller.
  • DC3-MWCP: It is a framework for parsing configuration information from malware.
  • Androwarn: A static code analyzer for malicious Android applications.
  • AndroGuard: It is a toolkit built in Python which provides reverse engineering and malware analysis for Android. 
  • ProcDOT: This tool processes Sysinternals Process Monitor (Procmon) logfiles and PCAP-logs (Windump, Tcpdump) to generate a graph via the GraphViz suite. This graph visualizes any relevant activities (customizable) and can be interactively analyzed.
  • bashhacks: An open source (GPL) set of bash functions probably useful for programmers, security analysts and general users that need to do some low level type of operation.
  • Docker: It is the world's leading software container platform. Developers use Docker to eliminate “works on my machine” problems when collaborating on code with co-workers. Operators use Docker to run and manage apps side-by-side in isolated containers to get better compute density. Enterprises use Docker to build agile software delivery pipelines to ship new features faster, more securely and with confidence for both Linux and Windows Server apps.
  • vtTool: It offers a convenient way of determining the likely name of malware by querying VirusTotal using the file’s hash via the command line.
  • REMnux Updater: Update or upgrade the REMnux distro on the local host.
  • Decompyle++: A python Byte-code disassembler/decompiler.

Additional  Tools

  • Metasploit Framework is not installed on REMnux; however, you can run it as a Docker container if the need arises.
  • WIPSTER offers a web-based interface to several REMnux tools. You can easily install WIPSTER on REMnux by running the command "install-wipster".
  • BinNavi is a tool for statically examining disassembled code. You can install it on REMnux by running the command "install-binnavi".

Source: www.effecthacking.com
REMnux - A Linux Toolkit For Reverse-Engineering & Malware Analysis REMnux - A Linux Toolkit For Reverse-Engineering & Malware Analysis Reviewed by Anonymous on 12:11 PM Rating: 5