📄
REMnux Documentation
  • REMnux: A Linux Toolkit for Malware Analysis
  • Install the Distro
    • Get the Virtual Appliance
    • Install from Scratch
    • Add to an Existing System
    • Run REMnux as a Container
    • Keep the Distro Up to Date
  • Discover the Tools
    • Examine Static Properties
      • General
      • PE Files
      • ELF Files
      • .NET
      • Deobfuscation
    • Statically Analyze Code
      • General
      • Unpacking
      • PE Files
      • Python
      • Scripts
      • Java
      • .NET
      • Flash
      • Android
    • Dynamically Reverse-Engineer Code
      • General
      • Shellcode
      • Scripts
      • ELF Files
    • Perform Memory Forensics
    • Explore Network Interactions
      • Monitoring
      • Connecting
      • Services
    • Investigate System Interactions
    • Analyze Documents
      • General
      • PDF
      • Microsoft Office
      • Email Messages
    • Gather and Analyze Data
    • View or Edit Files
    • General Utilities
  • Run Tools in Containers
    • Docker Images of Malware Analysis Tools
  • Behind the Scenes
    • People
    • Technologies
      • SaltStack Management
      • REMnux Installer
      • State Files Without the REMnux Installer
      • Debian Packages
      • Website and Docs
    • License
  • Tips and More
    • REMnux Configuration Tips
    • REMnux Tool Tips
    • Malware Analysis Training
    • REMnux Website
  • Get Involved
    • Ask and Answer Questions
    • Write About the Tools
    • Add or Update Tools
      • Contribute a Salt State File
      • Contribute a Debian Package
      • Contribute a Dockerfile
    • Implement Enhancements
Powered by GitBook
On this page
  • shcode2exe
  • shellcode2exe.bat
  • scdbg
  • runsc
  • Speakeasy
  • Qiling
  • Bitdefender Disassembler (bddisasm)
  • cut-bytes.py
  • libemu
  • XORSearch
  1. Discover the Tools
  2. Dynamically Reverse-Engineer Code

Shellcode

Dynamically Reverse-Engineer Code

PreviousGeneralNextScripts

Last updated 3 years ago

shcode2exe

Convert 32 and 64-bit shellcode to a Windows executable file.

Website: Author: Karlo Licudine: License: GNU General Public License (GPL) v3.0: State File:

shellcode2exe.bat

Convert 32 and 64-bit shellcode to a Windows executable file.

Website: Author: Ori Damari: License: Free, unknown license Notes: Use full path name to specify the input file; look for the output file in /usr/local/shellcode2exe-bat State File:

scdbg

Analyze shellcode by emulating its execution.

Website: Author: David Zimmer License: Free, unknown license Notes: scdbg (GUI), scdbgc (console). Due to a compatibility issue, this tool is not available on an Ubuntu 20.04 SIFT Workstation system to which REMnux was added. State File:

runsc

Run shellcode to trace and analyze its execution.

Website: Author: Evan Dygert: License: MIT License: Notes: Use the tracesc command to execute runsc within Wine in a way that traces the execution of shellcode. WARNING! This wrapper will actually execute the shellcode on the system, which might lead to your system becoming infected. Only use this wrapper in an properly configured, isolated laboratory environment, which you can return to a pristine state at the end of your analysis. State File:

Speakeasy

Emulate code execution, including shellcode, Windows drivers, and Windows PE files.

Qiling

Emulate code execution of PE files, shellcode, etc. for a variety of OS and hardware platforms.

Bitdefender Disassembler (bddisasm)

Disassemble 32 and 64-bit assembly instructions and emulate shellcode execution.

cut-bytes.py

Cut out a part of a data stream.

libemu

A library for x86 code emulation and shellcode detection

XORSearch

Locate and decode strings obfuscated using common techniques.

Website: Author: FireEye Inc, Andrew Davis License: MIT License: Notes: To run the tool, use speakeasy, emu_exe.py, and emu_dll.py commands. State File:

Website: Author: License: GNU General Public License (GPL) v2.0: Notes: Use qltool to analyze artifacts. Before analyzing Windows artifacts, gather Windows DLLs and other components using the script. Read the tool's to get started. State File:

Website: Author: Bitdefender's HVI Team: License: Apache License 2.0: Notes: disasmtool State File:

Website: Author: Didier Stevens: License: Public Domain State File:

Website: Author: License: Free, unknown license State File:

Website: Author: Didier Stevens: License: Public Domain Notes: xorsearch State File:

https://github.com/accidentalrebel/shcode2exe
https://twitter.com/accidentalrebel
https://github.com/accidentalrebel/shcode2exe/blob/master/LICENSE
remnux.scripts.shcode2exe
https://github.com/repnz/shellcode2exe
https://twitter.com/0xrepnz
remnux.tools.shellcode2exe-bat
http://sandsprite.com/blogs/index.php?uid=7&pid=152
remnux.packages.scdbg
https://github.com/edygert/runsc
https://twitter.com/edygert
https://github.com/edygert/runsc/blob/main/LICENSE
remnux.packages.runsc
https://github.com/fireeye/speakeasy
https://github.com/fireeye/speakeasy/blob/master/LICENSE.txt
remnux.python3-packages.speakeasy
https://www.qiling.io
https://github.com/qilingframework/qiling/blob/master/AUTHORS.TXT
https://github.com/qilingframework/qiling/blob/master/COPYING
dllscollector.bat
documentation
remnux.python3-packages.qiling
https://github.com/bitdefender/bddisasm
https://bitdefender.com
https://github.com/bitdefender/bddisasm/blob/master/LICENSE
remnux.packages.bddisasm
https://blog.didierstevens.com/2015/10/14/cut-bytes-py/
https://twitter.com/DidierStevens
remnux.scripts.cut-bytes
https://github.com/buffer/libemu
https://github.com/buffer/libemu/blob/master/AUTHORS
remnux.packages.libemu
https://blog.didierstevens.com/programs/xorsearch/
https://twitter.com/DidierStevens
remnux.packages.xorsearch