search

Shellcode

Dynamically Reverse-Engineer Code

hashtag
shcode2exe

Convert 32 and 64-bit shellcode to a Windows executable file.

Website: https://github.com/accidentalrebel/shcode2exearrow-up-right Author: Karlo Licudine: https://twitter.com/accidentalrebelarrow-up-right License: GNU General Public License (GPL) v3.0: https://github.com/accidentalrebel/shcode2exe/blob/master/LICENSEarrow-up-right State File: remnux.scripts.shcode2exearrow-up-right

hashtag
shellcode2exe.bat

Convert 32 and 64-bit shellcode to a Windows executable file.

Website: https://github.com/repnz/shellcode2exearrow-up-right Author: Ori Damari: https://twitter.com/0xrepnzarrow-up-right License: Free, unknown license Notes: Use full path name to specify the input file; look for the output file in /usr/local/shellcode2exe-bat State File: remnux.tools.shellcode2exe-batarrow-up-right

hashtag
scdbg

Analyze shellcode by emulating its execution.

Website: http://sandsprite.com/blogs/index.php?uid=7&pid=152arrow-up-right Author: David Zimmer License: Free, unknown license Notes: scdbg (GUI), scdbgc (console). Due to a compatibility issue, this tool is not available on an Ubuntu 20.04 SIFT Workstation system to which REMnux was added. State File: remnux.packages.scdbgarrow-up-right

hashtag
runsc

Run shellcode to trace and analyze its execution.

Website: https://github.com/edygert/runscarrow-up-right Author: Evan Dygert: https://twitter.com/edygertarrow-up-right License: MIT License: https://github.com/edygert/runsc/blob/main/LICENSEarrow-up-right Notes: Use the tracesc command to execute runsc within Wine in a way that traces the execution of shellcode. WARNING! This wrapper will actually execute the shellcode on the system, which might lead to your system becoming infected. Only use this wrapper in an properly configured, isolated laboratory environment, which you can return to a pristine state at the end of your analysis. State File: remnux.packages.runscarrow-up-right

hashtag
Speakeasy

Emulate code execution, including shellcode, Windows drivers, and Windows PE files.

Website: https://github.com/fireeye/speakeasyarrow-up-right Author: FireEye Inc, Andrew Davis License: MIT License: https://github.com/fireeye/speakeasy/blob/master/LICENSE.txtarrow-up-right Notes: To run the tool, use speakeasy, emu_exe.py, and emu_dll.py commands. State File: remnux.python3-packages.speakeasyarrow-up-right

hashtag
Qiling

Emulate code execution of PE files, shellcode, etc. for a variety of OS and hardware platforms.

Website: https://www.qiling.ioarrow-up-right Author: https://github.com/qilingframework/qiling/blob/master/AUTHORS.TXTarrow-up-right License: GNU General Public License (GPL) v2.0: https://github.com/qilingframework/qiling/blob/master/COPYINGarrow-up-right Notes: Use qltool to analyze artifacts. Before analyzing Windows artifacts, gather Windows DLLs and other components using the dllscollector.batarrow-up-right script. Read the tool's documentationarrow-up-right to get started. State File: remnux.python3-packages.qilingarrow-up-right

hashtag
cut-bytes.py

Cut out a part of a data stream.

Website: https://blog.didierstevens.com/2015/10/14/cut-bytes-py/arrow-up-right Author: Didier Stevens: https://twitter.com/DidierStevensarrow-up-right License: Public Domain State File: remnux.scripts.cut-bytesarrow-up-right

hashtag
libemu

A library for x86 code emulation and shellcode detection.

Website: https://github.com/buffer/libemuarrow-up-right Author: https://github.com/buffer/libemu/blob/master/AUTHORSarrow-up-right License: Free, unknown license State File: remnux.packages.libemuarrow-up-right

hashtag
XORSearch

Locate and decode strings obfuscated using common techniques.

Website: https://blog.didierstevens.com/programs/xorsearch/arrow-up-right Author: Didier Stevens: https://twitter.com/DidierStevensarrow-up-right License: Public Domain Notes: xorsearch State File: remnux.packages.xorsearcharrow-up-right

PreviousGeneralNextScripts

Last updated