Shellcode

Dynamically Reverse-Engineer Code

shcode2exe

Convert 32 and 64-bit shellcode to a Windows executable file.

Website: https://github.com/accidentalrebel/shcode2exe Author: Karlo Licudine: https://twitter.com/accidentalrebel License: GNU General Public License (GPL) v3.0: https://github.com/accidentalrebel/shcode2exe/blob/master/LICENSE State File: remnux.scripts.shcode2exe

shellcode2exe.bat

Convert 32 and 64-bit shellcode to a Windows executable file.

Website: https://github.com/repnz/shellcode2exe Author: Ori Damari: https://twitter.com/0xrepnz License: Free, unknown license Notes: Use full path name to specify the input file; look for the output file in /usr/local/shellcode2exe-bat State File: remnux.tools.shellcode2exe-bat

scdbg

Analyze shellcode by emulating its execution.

Website: http://sandsprite.com/blogs/index.php?uid=7&pid=152 Author: David Zimmer License: Free, unknown license Notes: scdbg (GUI), scdbgc (console). Due to a compatibility issue, this tool is not available on an Ubuntu 20.04 SIFT Workstation system to which REMnux was added. State File: remnux.packages.scdbg

runsc

Run shellcode to trace and analyze its execution.

Website: https://github.com/edygert/runsc Author: Evan Dygert: https://twitter.com/edygert License: MIT License: https://github.com/edygert/runsc/blob/main/LICENSE Notes: Use the tracesc command to execute runsc within Wine in a way that traces the execution of shellcode. WARNING! This wrapper will actually execute the shellcode on the system, which might lead to your system becoming infected. Only use this wrapper in an properly configured, isolated laboratory environment, which you can return to a pristine state at the end of your analysis. State File: remnux.packages.runsc

Speakeasy

Emulate code execution, including shellcode, Windows drivers, and Windows PE files.

Website: https://github.com/fireeye/speakeasy Author: FireEye Inc, Andrew Davis License: MIT License: https://github.com/fireeye/speakeasy/blob/master/LICENSE.txt Notes: run_speakeasy.py, emu_exe.py, emu_dll.py State File: remnux.python3-packages.speakeasy

Qiling

Emulate code execution of PE files, shellcode, etc. for a variety of OS and hardware platforms.

Website: https://www.qiling.io Author: https://github.com/qilingframework/qiling/blob/master/AUTHORS.TXT License: GNU General Public License (GPL) v2.0: https://github.com/qilingframework/qiling/blob/master/COPYING Notes: Use qltool to analyze artifacts. Before analyzing Windows artifacts, gather Windows DLLs and other components using the dllscollector.bat script. Read the tool's documentation to get started. State File: remnux.python3-packages.qiling

Bitdefender Disassembler (bddisasm)

Disassemble 32 and 64-bit assembly instructions and emulate shellcode execution.

Website: https://github.com/bitdefender/bddisasm Author: Bitdefender's HVI Team: https://bitdefender.com License: Apache License 2.0: https://github.com/bitdefender/bddisasm/blob/master/LICENSE Notes: disasmtool State File: remnux.packages.bddisasm

cut-bytes.py

Cut out a part of a data stream.

Website: https://blog.didierstevens.com/2015/10/14/cut-bytes-py/ Author: Didier Stevens: https://twitter.com/DidierStevens License: Public Domain State File: remnux.scripts.cut-bytes

libemu

A library for x86 code emulation and shellcode detection

Website: https://github.com/buffer/libemu Author: https://github.com/buffer/libemu/blob/master/AUTHORS License: Free, unknown license State File: remnux.packages.libemu

XORSearch

Locate and decode strings obfuscated using common techniques.

Website: https://blog.didierstevens.com/programs/xorsearch/ Author: Didier Stevens: https://twitter.com/DidierStevens License: Public Domain Notes: xorsearch State File: remnux.packages.xorsearch