REMnux v6 - A Linux Toolkit for Reverse-Engineering and Analyzing Malware
REMnux is a free Linux toolkit for assisting malware analysts with
reverse-engineering malicious software. It strives to make it easier for
forensic investigators and incident responders to start using the
variety of freely-available tools that can examine malware, yet might be
difficult to locate or set up.
The heart of the project is the REMnux Linux distribution based on Ubuntu.
This lightweight distro incorporates many tools for analyzing Windows
and Linux malware, examining browser-based threats such as obfuscated
JavaScript, exploring suspicious document files and taking apart other
malicious artifacts. Investigators can also use the distro to intercept
suspicious network traffic in an isolated lab when performing behavioral
malware analysis.
Malware Analyis Tools Installed on REMnux
The REMnux distribution includes many free tools useful for
examining malicious software. These utilities are set up and tested to
make it easier for you to perform malware analysis tasks without needing
to figure out how to install them. The majority of these tools are
listed below.
Examine Browser Malware
- Website analysis: Thug, mitmproxy, Network Miner Free Edition, curl, Wget, Burp Proxy Free Edition, Automater, pdnstool, Tor, tcpextract, tcpflow, passive.py, CapTipper
- Flash: xxxswf, SWF Tools, RABCDAsm, extract_swf, Flare
- Java: Java Cache IDX Parser, JD-GUI Java Decompiler, JAD Java Decompiler, Javassist, CFR
- JavaScript: Rhino Debugger, ExtractScripts, Firebug, SpiderMonkey, V8, JS Beautifier
Examine Document Files
- PDF: AnalyzePDF, Pdfobjflow, pdfid, pdf-parser, peepdf, Origami, PDF X-RAY Lite, PDFtk, swf_mastah
- Microsoft Office: officeparser, pyOLEScanner.py, oletools, libolecf, oledump, emldump
- Shellcode: sctest, unicode2hex-escaped, unicode2raw, dism-this, shellcode2exe
Extract and Decode Artifacts
- Deobfuscate: unXOR, XORStrings, ex_pe_xor, XORSearch, brutexor/iheartxor, xortool, NoMoreXOR, XORBruteForcer, Balbuzard
- Extract strings: strdeobj, pestr, strings
- Carving: Foremost, Scalpel, bulk_extractor, Hachoir
Handle Network Interactions
- Sniffing: Wireshark, ngrep, TCPDump, tcpick
- Services: FakeDNS, Nginx, fakeMail, Honeyd, INetSim, Inspire IRCd, OpenSSH, accept-all-ips
- Miscellaneous network: prettyping.sh, set-static-ip, renew-dhcp, Netcat, EPIC IRC Client, stunnel
Process Multiple Samples
Examine File Properties and Contents
- Define signatures: YaraGenerator, IOCextractor, Autorule, Rule Editor
- Scan: Yara, ClamAV, TrID, ExifTool, virustotal-submit, Disitool
- Hashes: nsrllookup, Automater, Hash Identifier, totalhash, ssdeep, virustotal-search, VirusTotalApi
Investigate Linux Malware
- System: Sysdig, Unhide
- Disassemble: Vivisect, Udis86, objdump
- Debug: Evan’s Debugger (EDB), GNU Project Debugger (GDB)
- Trace: strace, ltrace
- Investigate: Radare 2, Pyew, Bokken, m2elf
Edit and View Files
- Text: SciTE, Geany, Vim
- Images: feh, ImageMagick
- Binary: wxHexEditor, VBinDiff
- Documents: Xpdf
Examine Memory Snapshots
- Volatility Framework, findaes, AESKeyFinder, RSAKeyFinder, VolDiff, Rekall
Statically Examine PE Files
- Unpacking: UPX, Bytehist, Density Scout, PackerID
- Disassemble: objdump, Udis86, Vivisect
- Find anomalies: Signsrch, pescanner, ExeScan, pev, Peframe, pedump
- Investigate: Bokken, RATDecoders, Pyew, readpe.py, PyInstaller Extractor
Investigate Mobile Malware
Perform Other Tasks
- ProcDOT, bashhacks, Docker, vtTool, REMnux Updater, Decompyle++
REMnux Documentation
REMnux documentation is a
relatively recent effort, which can provide additional details regarding
the toolkit. The document set in need of improvement and expansion.
The one-page REMnux cheat sheet
highlights some of the most useful tools and commands available as part
of the REMnux distro. It’s an especially nice starting point for people
who are new to the distribution.
REMnux v6 - A Linux Toolkit for Reverse-Engineering and Analyzing Malware
Reviewed by Zion3R
on
7:01 PM
Rating: