REMnux is a free,lightweight Linux (Ubuntu distribution) toolkit for reverse-engineering malicious software.
REMnux provides the collection of some of the most common and effective tools used for reverse engineering malwares in categories like:
1) Investigate Linux malwares
2) Statically analyse windows executable file
3) Examine File properties and contents
4) Multiple sample processing
5) Memory Snapshot Examination
6) Extract and decode artifacts
7) Examine Documents
8) Browser malware Examination
9) Network utilities
Install REMnux in VMware Workstation or Oracle Virtual Box from (https://remnux.org/). Also download different virus sample from : http://remnux.org/remnux-v4-malware.zip (Password to extract zip : fruits)
Suggested Video tutorials:
1) https://www.sans.org/webcast/recording/citrix/98045/18035
2) https://www.youtube.com/watch?v=4LzCr9qf5_Q
Since the tutorial doesn't cover all the tools, I would be posting the videos soon to explore every reverse engineering tools in brief.
I have listed tools for different sections below.
Note : Some of the described tools are not available in REMnux distribution so if you face any difficulty, feel free to download them.
Courtesy: Lenny Zeltser (https://zeltser.com/)
REMnux (https://remnux.org/)
REMnux provides the collection of some of the most common and effective tools used for reverse engineering malwares in categories like:
1) Investigate Linux malwares
2) Statically analyse windows executable file
3) Examine File properties and contents
4) Multiple sample processing
5) Memory Snapshot Examination
6) Extract and decode artifacts
7) Examine Documents
8) Browser malware Examination
9) Network utilities
Install REMnux in VMware Workstation or Oracle Virtual Box from (https://remnux.org/). Also download different virus sample from : http://remnux.org/remnux-v4-malware.zip (Password to extract zip : fruits)
Suggested Video tutorials:
1) https://www.sans.org/webcast/recording/citrix/98045/18035
2) https://www.youtube.com/watch?v=4LzCr9qf5_Q
Since the tutorial doesn't cover all the tools, I would be posting the videos soon to explore every reverse engineering tools in brief.
I have listed tools for different sections below.
Note : Some of the described tools are not available in REMnux distribution so if you face any difficulty, feel free to download them.
| Tool Name | How to Invoke (Basic Command) | Category | Description |
| VBinDiff | vbindiff | Edit and View Files: Binary | Compare binary files |
| wxHexEditor | wxHexEditor | Edit and View Files: Binary | Graphical hex editor |
| XMind | xmind | Edit and View Files: Documents | Mind-mapping tool for organizing thoughts and data |
| Xpdf | xpdf | Edit and View Files: Documents | PDF viewer |
| feh | feh | Edit and View FIles: Images | Image viewer |
| ImageMagick | display | Edit and View Files: Images | Image viewer |
| SciTE | scite | Edit and view files: Text | Simple, yet powerful text editor |
| extract_swf | extract_swf.py | Examine Browser Malware: Flash | Extract Flash object from files |
| RABCDAsm | rabcdasm, abcexport | Examine Browser Malware: Flash | Examine ActionScript from Flash files |
| SWF Tools | swfdump, swfextract, swfstrings, etc. | Examine Browser Malware: Flash | A toolkit for examining, creating and modifying Flash files |
| xxxswf | xxxswf.py | Examine Browser Malware: Flash | Extract Flash objects from other files |
| Jad | jad | Examine Browser Malware: Java | Java Decompiler |
| Java Cache IDX Parser | idx_parser.py | Examine Browser Malware: Java | Examine Java IDX files |
| Java Decompiler | jd-gui | Examine Browser Malware: Java | Decompile Java class files |
| def.js | js -f /usr/local/etc/def.js | Examine Browser Malware: JavaScript | Library of JavaScript objects commonly defined by a browser or a PDF reader |
| ExtractScripts | extractscripts | Examine Browser Malware: JavaScript | Extract JavaScript scripts from an HTML file |
| Firebug | firefox, F12 | Examine Browser Malware: JavaScript | JavaScript debugger for Firefox |
| JavaScript Deobfuscator | firefox, Tools, Web Developer, JavaScript Deobfuscator | Examine Browser Malware: JavaScript | Observe JavaScript scripts being executed by Firefox |
| JS Beautifier | js-beautify | Examine Browser Malware: JavaScript | Reformat JavaScript scripts to improve their readability |
| JSDetox | cd /usr/local/jsdetox && ./jsdetox && firefox http://127.0.0.1:3000 | Examine Browser Malware: JavaScript | Decode obfuscated JavaScript |
| Rhino Debugger | rhino-debugger | Examine Browser Malware: JavaScript | Standalone JavaScript debugger |
| SpiderMonkey | js | Examine Browser Malware: JavaScript | JavaScript engine from Mozilla |
| V8 | d8 | Examine Browser Malware: JavaScript | JavaScript engine from Google |
| Automater | cd /usr/local/Automater && ./Automater.py | Examine Browser Malware: Websites | Look up URL/Domain, IP and MD5 hash details |
| Burp Proxy Free Edition | burpsuite | Examine Browser Malware: Websites | Analyze and interact with websites in a controlled manner |
| curl | curl | Examine Browser Malware: Websites | Command-line tool for retrieving website contents |
| Firefox | firefox | Examine Browser Malware: Websites | Web browser |
| Malzilla | malzilla | Examine Browser Malware: Websites | Analyze suspicious websites and decode JavaScript |
| mitmproxy | mitmproxy, mitmdump | Examine Browser Malware: Websites | Intercept, modify, replay and save HTTP and HTTPS traffic |
| Network Miner Free Edition | NetworkMiner | Examine Browser Malware: Websites | Examine network traffic and carve PCAP capture files |
| pdnstool | pdnstool | Examine Browser Malware: Websites | Perform passive DNS lookups |
| Thug | cd /usr/local/thug/src && ./thug.py | Examine Browser Malware: Websites | Honeyclient for investigating suspicios websites |
| Tor | tor start | Examine Browser Malware: Websites | Tools for directing network traffic through anonymizing proxies |
| Wget | wget | Examine Browser Malware: Websites | Command-line tool for retrieving website contents |
| QuickJava | firefox, QJ button | Examine Browser Malware: Websites - Firefox | Toggle Firefox' support for risky web contents |
| Tamper Data | firefox, Tools, Tamper Data | Examine Browser Malware: Websites - Firefox | View and modify HTTP/HTTPS headers and post parameters. |
| OfficeMalScanner | OfficeMalScanner | Examine Document Files: Microsoft Office | Examine suspicious Microsoft Office files |
| officeparser | officeparser.py | Examine Document Files: Microsoft Office | Extract embedded files and macros from office documents |
| AnalyzePDF | cd /usr/local/AnalyzePDF && ./AnalyzePDF.py | Examine Document Files: PDF | Examine a malicious PDF file |
| Origami | pdfwalker, pdfextract, pdfcop, etc. | Examine Document Files: PDF | Framework for examining, creating and modifying PDF files |
| PDF X-RAY Lite | pdfxray_lite | Examine Document Files: PDF | Examine the PDF document structure and contents |
| pdfid | pdfid | Examine Document Files: PDF | Locate common suspicious artifacts in a PDF file |
| Pdfobjflow | pdf-parser.py | pdfobjflow.py | Examine Document Files: PDF | Visualizes the output from pdf-parser |
| pdf-parser | pdf-parser.py | Examine Document Files: PDF | Examine a suspicious PDF file |
| PDFtk | pdftk | Examine Document Files: PDF | Edit PDF files |
| peepdf | peepdf | Examine Document Files: PDF | Analyze suspicious PDF files |
| dism-this | dism-this.py | Examine Document Files: Shellcode | Analyze disassembled data within file objects |
| sctest | sctest | Examine Document Files: Shellcode | Emulate shellcode execution |
| unicode2hex-escaped | unicode2hex-escaped | Examine Document Files: Shellcode | Clean up and convert Unicode to hex |
| unicode2raw | unicode2raw | Examine Document Files: Shellcode | Clean up and convert Unicode to raw |
| Autorule | cd /usr/local/autorule && ./tester.py | Examine FIle Properties and Contents: Define | Automatically define Yara signatures for a set of files |
| IOCextractor | IOCextractor | Examine FIle Properties and Contents: Define | Extract IOCs from a text report file |
| Yara Editor | yara-editor | Examine FIle Properties and Contents: Define | Create and modify Yara rules |
| YaraGenerator | yaraGenerator.py | Examine FIle Properties and Contents: Define | Generate Yara rules for designated files |
| Hash Identifier | hash_id | Examine File Properties and Contents: Hashes | Identify the different types of hashes used to encrypt data and especially passwords |
| nsrllookup | nsrllookup | Examine File Properties and Contents: Hashes | Look up file hashes on an NSRL database server |
| ssdeep | ssdeep | Examine File Properties and Contents: Hashes | Define and scan for a "fuzzy" signature of a file |
| totalhash | totalhash.py | Examine File Properties and Contents: Hashes | Look up a suspicious file hash in the totalhash.com database |
| ClamAV | clamscan | Examine File Properties and Contents: Scan | Clam antivirus engine |
| ExifTool | exiftool | Examine File Properties and Contents: Scan | Extract file properties |
| TrID | trid | Examine File Properties and Contents: Scan | Identify file types |
| Yara | yara | Examine File Properties and Contents: Scan | Scan files and file system for signatures |
| AESKeyFinder | aeskeyfind | Examine Memory Snapshots | Locate embedded AES keys |
| findaes | findaes | Examine Memory Snapshots | Locate embedded AES keys |
| RSAKeyFinder | rsakeyfind | Examine Memory Snapshots | Locate embedded RSA keys |
| TotalRecall | cd /usr/local/TotalRecall && ./TotalRecall.py | Examine Memory Snapshots | Run popular Volatility commands and generate a report |
| Volatility Framework | vol | Examine Memory Snapshots | Memory forensics tool and framework |
| bulk_extractor | bulk_extractor | Extract and Decode Artifacts: Carving | Scan a disk image, a file, or a directory of files and extracts useful information |
| Foremost | foremost | Extract and Decode Artifacts: Carving | Carve contents of files |
| Hachoir | hachoir-subfile, hachoir-metadata, hachoir-urwid | Extract and Decode Artifacts: Carving | View, edit and carve contents of various binary file types |
| pe-carv.py | pe-carv.py | Extract and Decode Artifacts: Carving | Carve out PE files |
| Scalpel | scalpel | Extract and Decode Artifacts: Carving | Carve contents of files |
| Balbuzard | /usr/local/balbuzard/balbuzard.py /usr/local/balbuzard/bbcrack.py /usr/local/balbuzard/bbharvest.py /usr/local/balbuzard/bbtrans.py |
Extract and Decode Artifacts: Deobfuscate | Extract and decode suspicious patterns from malicious files |
| brutexor/iheartxor | brutexor.py | Extract and Decode Artifacts: Deobfuscate | Bruteforce all possible 1-byte XOR key values and examine the file for strings that might have been encoded with these keys |
| ex_pe_xor | ex_pe_xor.py | Extract and Decode Artifacts: Deobfuscate | Carve out single-byte XOR encoded executables from files |
| NoMoreXOR | NoMoreXOR.py | Extract and Decode Artifacts: Deobfuscate | Guess 256-byte XOR keys by using frequency analysis |
| unXOR | unxor.py | Extract and Decode Artifacts: Deobfuscate | Guess a XOR key via known-plaintext attacks |
| XORBruteForcer | xorBruteForcer.py | Extract and Decode Artifacts: Deobfuscate | implements a XOR bruteforcing of a given file |
| XORSearch | xorsearch | Extract and Decode Artifacts: Deobfuscate | Locate and decode strings obfuscated using common techniques |
| XORStrings | xorstrings | Extract and Decode Artifacts: Deobfuscate | Locate and decode XOR-obfuscated strings |
| xortool | xortool | Extract and Decode Artifacts: Deobfuscate | Locate and deobuscate contents encoded using a multi-byte XOR cipher |
| xortools | from xortools import rolling_xor | Extract and Decode Artifacts: Deobfuscate | Library for decoding XOR-obfuscated contents |
| pestr | pestr | Extract and Decode Artifacts: Extract Strings | Extract strings from a PE file |
| strdeobj | strdeobj | Extract and Decode Artifacts: Extract Strings | Extract and decode strings defined as arrays |
| Evan's Debugger (EDBB) | edb | Investigate Linux Malware: Debug | Debug EFL binary files |
| GDB | gdb | Investigate Linux Malware: Debug | A powerful debugger |
| Sysdig | sysdig | Investigate Linux Malware: System | Track and examine local system activities on a Linux system |
| Unhide | unhide | Investigate Linux Malware: System | Find local hidden processes or connections on a Linux system |
| ltrace | ltrace | Investigate Linux Malware: Trace | Trace library calls |
| strace | strace | Investigate Linux Malware: Trace | Trace system calls and signals |
| Androwarn | androwarn.py | Misc. | Android static code analyzer |
| bashhacks | source /usr/local/bashhacks/bashhacks.sh | Misc. | Useful bash shell functions |
| ProcDOT | procdot | Misc. | Visualize and examine the output of Process Monitor and network sniffer logs |
| EPIC IRC Client | irc | Network: Misc. | IRC client |
| Netcat | nc | Network: Misc. | Flexible network client and server |
| prettyping.sh | pping | Network: Misc. | Ping a host while looking pretty |
| set-static-ip | set-static-ip | Network: Misc. | Temporarily assign a static IP |
| stunnel | stunnel | Network: Misc. | SSL encryption wrapper |
| FakeDNS | fakedns | Network: Services | Respond to DNS queries with a specified IP address |
| fakeMail | fakemail | Network: Services | Fake mail server that captures emails messages sent through it without retransmitting them |
| Honeyd | farpd start && honeyd start | Network: Services | Intercept network traffic and emulate common services |
| INetSim | inetsim | Network: Services | Emulate common network services |
| Inspire IRCd | ircd start | Network: Services | IRC server |
| OpenSSH | sshd start | Network: Services | SSH server |
| Tiny HTTPd | httpd start | Network: Services | A simple web server that supports HTTP |
| ngrep | ngrep | Network: Sniffing | Sniff the network while looking for patterns that match the specified regular expressions |
| TCPDump | tcpdump | Network: Sniffing | Command-line network sniffer |
| tcpick | tcpick | Network: Sniffing | Sniffer that reassembles TCP streams |
| Wireshark | wireshark | Network: Sniffing | Network sniffer |
| Maltrieve | maltrieve.py | Process Multiple Samples | Retrieve malware from malicious sites |
| MASTIFF | mas | Process Multiple Samples | |
| Ragpicker | cd /usr/local/MalwareCrawler/src && ./ragpicker.py | Process Multiple Samples | Plugin based malware crawler with pre-analysis and reporting functionalities |
| Viper | viper | Process Multiple Samples | Store, classify and investigate suspicious binary files |
| WIPSTER Installer | /usr/local/sbin/install-wipster | Process Multiple Samples | Install web interface for MASTIFF and other tools |
| Disass | from disass.Disass32 import Disass32 | Python: Library | Binary analysis library for Python |
| pefile | import pefile | Python: Library | A library for examining PE file contents |
| PyV8 | import PyV8 | Python: Library | Python wrapper for Google's V8 JavaScript engine |
| objdump | objdump | Statically examine PE files: Disassemble Investigate Linux Malware: Disassemble |
Disassemble binary files |
| Udis86 | udcli | Statically examine PE files: Disassemble Investigate Linux Malware: Disassemble |
Disassemble binary files |
| Vivisect | vivbin | Statically examine PE files: Disassemble Investigate Linux Malware: Disassemble |
Statically examine and emulate binary files |
| ExeScan | exescan.py | Statically examine PE files: Find Anomalies | Statically examine a PE file and detect suspicious characteristics |
| Peframe | cd /usr/local/peframe && ./peframe.py | Statically examine PE files: Find Anomalies | Statically examine PE files |
| pescanner | pescanner | Statically examine PE files: Find Anomalies | Statically examine a PE file |
| pev | pepack, pescan, pestr, pehash, readpe, etc. | Statically examine PE files: Find Anomalies | PE file analysis toolkit |
| Signsrch | signsrch | Statically examine PE files: Find Anomalies | Locate common code patterns |
| RATDecoders | cd /usr/local/RATDecoders && ls | Statically examine PE files: Investigate | Extract and decode configuration details from common RAT samples |
| Bokken | bokken | Statically examine PE files: Investigate Investigate Linux Malware: Investigate |
Interactive static malware analysis tool |
| Pyew | pyew | Statically examine PE files: Investigate Investigate Linux Malware: Investigate |
Statically examine suspicious files |
| Radare | radare | Statically examine PE files: Investigate Investigate Linux Malware: Investigate Edit and View Files: Binary |
the reverse engineering framework |
| Radare 2 | radare2 | Statically examine PE files: Investigate Investigate Linux Malware: Investigate Edit and View Files: Binary |
Framework for examining binary files |
| Bytehist | bytehist | Statically examine PE files: Unpacking | Generate byte-usage-histograms for all types of files with a focus PE files |
| Density Scout | densityscout | Statically examine PE files: Unpacking | Calculates density (like entropy) of files in the specified location, useful for finding packed programs |
| PackerID | packerid | Statically examine PE files: Unpacking | Help determine which packer was used to protect a PE file |
| UPX | upx | Statically examine PE files: Unpacking | A popular tool for packing and unpacking executable files |
Courtesy: Lenny Zeltser (https://zeltser.com/)
REMnux (https://remnux.org/)
Today Internet plays a big part of our lives. With the development of modern technologies we spent more and more time on the web every day. As we browse for information around the web many people don't realize that their personal information can be exposed to danger. This is why CyberTraining 365 is here to teach you about Analyzing malware and how to protect your data from unauthorized access.
ReplyDelete