Shellcode

Dynamically Reverse-Engineer Code

shellcode2exe.bat

Convert 32 and 64-bit shellcode to a Windows executable file.

Website: https://github.com/repnz/shellcode2exe Author: Ori Damari: https://twitter.com/0xrepnz License: Free, unknown license Notes: Use full path name to specify the input file; look for the output file in /usr/local/shellcode2exe-bat State File: remnux.tools.shellcode2exe-bat

Speakeasy

Emulate code execution, including shellcode, Windows drivers, and Windows PE files.

Website: https://github.com/fireeye/speakeasy Author: FireEye Inc, Andrew Davis License: MIT License: https://github.com/fireeye/speakeasy/blob/master/LICENSE.txt Notes: run_speakeasy.py, emu_exe.py, emu_dll.py State File: remnux.python3-packages.speakeasy

Qiling

Emulate code execution of PE files, shellcode, etc. for a variety of OS and hardware platforms.

Website: https://www.qiling.io Author: https://github.com/qilingframework/qiling/blob/master/AUTHORS.TXT License: GNU General Public License (GPL) v2.0: https://github.com/qilingframework/qiling/blob/master/COPYING Notes: Use qltool to analyze artifacts. Before analyzing Windows artifacts, gather Windows DLLs and other components using the dllscollector.bat script. Read the tool's documentation to get started. State File: remnux.python3-packages.qiling

cut-bytes.py

Cut out a part of a data stream.

Website: https://blog.didierstevens.com/2015/10/14/cut-bytes-py/ Author: Didier Stevens: https://twitter.com/DidierStevens License: Public Domain State File: remnux.scripts.cut-bytes

scdbg

Analyze shellcode by emulating its execution.

Website: http://sandsprite.com/blogs/index.php?uid=7&pid=152 Author: David Zimmer License: Free, unknown license Notes: scdbg (GUI), scdbgc (console) State File: remnux.packages.scdbg

libemu

A library for x86 code emulation and shellcode detection

Website: https://github.com/buffer/libemu Author: https://github.com/buffer/libemu/blob/master/AUTHORS License: Free, unknown license State File: remnux.packages.libemu

XORSearch

Locate and decode strings obfuscated using common techniques.

Website: https://blog.didierstevens.com/programs/xorsearch/ Author: Didier Stevens: https://twitter.com/DidierStevens License: Public Domain Notes: xorsearch State File: remnux.packages.xorsearch