📄
REMnux Documentation
  • REMnux: A Linux Toolkit for Malware Analysis
  • Install the Distro
    • Get the Virtual Appliance
    • Install from Scratch
    • Add to an Existing System
    • Run REMnux as a Container
    • Keep the Distro Up to Date
  • Discover the Tools
    • Examine Static Properties
      • General
      • PE Files
      • ELF Files
      • .NET
      • Deobfuscation
    • Statically Analyze Code
      • General
      • Unpacking
      • PE Files
      • Python
      • Scripts
      • Java
      • .NET
      • Flash
      • Android
    • Dynamically Reverse-Engineer Code
      • General
      • Shellcode
      • Scripts
      • ELF Files
    • Perform Memory Forensics
    • Explore Network Interactions
      • Monitoring
      • Connecting
      • Services
    • Investigate System Interactions
    • Analyze Documents
      • General
      • PDF
      • Microsoft Office
      • Email Messages
    • Gather and Analyze Data
    • View or Edit Files
    • General Utilities
  • Run Tools in Containers
    • Docker Images of Malware Analysis Tools
  • Behind the Scenes
    • People
    • Technologies
      • SaltStack Management
      • REMnux Installer
      • State Files Without the REMnux Installer
      • Debian Packages
      • Website and Docs
    • License
  • Tips and More
    • REMnux Configuration Tips
    • REMnux Tool Tips
    • Malware Analysis Training
    • REMnux Website
  • Get Involved
    • Ask and Answer Questions
    • Write About the Tools
    • Add or Update Tools
      • Contribute a Salt State File
      • Contribute a Debian Package
      • Contribute a Dockerfile
    • Implement Enhancements
Powered by GitBook
On this page
  • CyberChef
  • Malchive
  • 1768.py
  • cs-decrypt-metadata.py
  • Cobalt Strike Configuration Extractor (CSCE) and Parser
  • sets.py
  • xortool
  • RATDecoders
  • DC3-MWCP
  • unicode
  • Chepy
  • Balbuzard
  • base64dump
  • xor-kpa.py
  • NoMoreXOR.py
  • unXOR
  • brxor.py
  • xorBruteForcer.py
  • strdeob.pl
  • ex_pe_xor.py
  • cut-bytes.py
  • format-bytes.py
  • translate.py
  • XORStrings
  • XORSearch
  • FLOSS
  1. Discover the Tools
  2. Examine Static Properties

Deobfuscation

Examine Static Properties

Previous.NETNextStatically Analyze Code

Last updated 6 months ago

CyberChef

Decode and otherwise analyze data using this browser app.

Website: Author: GCHQ License: Apache License 2.0: Notes: cyberchef State File:

Malchive

Perform static analysis of various aspects of malicious code.

Website: Author: The MITRE Corporation, License: License 2.0: Notes: Malchive command-line tools start with the prefix malutil-. See for details. State File:

1768.py

Analyze Cobalt Strike beacons.

Website: Author: Didier Stevens: License: Public Domain Notes: For an overview of this tool, see the article. State File:

cs-decrypt-metadata.py

Decrypt Cobalt Strike metadata.

Website: Author: Didier Stevens: License: Public Domain State File:

Cobalt Strike Configuration Extractor (CSCE) and Parser

Analyze Cobalt Strike beacons.

sets.py

Perform set operations on lines or bytes in text files.

xortool

Analyze XOR-encoded data.

RATDecoders

Python3 Decoders for Remote Access Trojans

DC3-MWCP

Parsing configuration information from malware.

unicode

Display Unicode character properties.

Chepy

Decode and otherwise analyze data using this command-line tool and Python library.

Balbuzard

Extract and deobfuscate patterns from suspicious files.

base64dump

Locate and decode strings encoded in Base64 and other common encodings.

xor-kpa.py

Implement a XOR known plaintext attack.

NoMoreXOR.py

Help guess a file's 256-byte XOR by using frequency analysis.

unXOR

Deobfuscate XOR'ed files.

brxor.py

Bruteforce XOR'ed strings to find those that are English words.

xorBruteForcer.py

Bruteforce an XOR-encoded file.

strdeob.pl

Locate and decode stack strings in executable files.

ex_pe_xor.py

Search an XOR'ed file for indications of executable binaries.

cut-bytes.py

Cut out a part of a data stream.

format-bytes.py

Decompose structured binary data with format strings.

translate.py

Translate bytes according to a Python expression.

XORStrings

Search for XOR encoded strings in a file.

XORSearch

Locate and decode strings obfuscated using common techniques.

FLOSS

Extract and deobfuscate strings from PE executables.

Website: Author: Aon / Stroz Friedberg License: Apache License 2.0: Notes: csce, list-cs-settings State File:

Website: Author: Didier Stevens: License: Public Domain State File:

Website: Author: Aleksei Hellman License: MIT License: State File:

Website: Author: Kevin Breen: License: MIT License: Notes: malconf State File:

Website: Author: Defense Cyber Crime Center - United States Government License: Some parts Public Domain, some MIT License: Notes: mwcp State File:

Website: Author: Radovan Garabik License: GNU General Public License (GPL) v3: State File:

Website: Author: securisec: License: GNU General Public License (GPL) v3: Notes: chepy State File:

Website: Author: Philippe Lagadec: License: Free, custom license: Notes: balbuzard, bbcrack, bbharvest, bbtrans State File:

Website: Author: Didier Stevens: License: Public Domain Notes: base64dump.py State File:

Website: Author: Didier Stevens: License: Public Domain State File:

Website: Author: Glenn P. Edwards Jr. License: Free, unknown license State File:

Website: Author: Thomas Chopitea License: Apache License 2.0: State File:

Website: Author: Alexander Hanel, Trenton Tait License: Free, unknown license State File:

Website: Author: Jose Miguel Esparza License: Free, unknown license State File:

Website: Author: TotalHash License: Free, unknown license State File:

Website: Author: Alexander Hanel License: Free, unknown license State File:

Website: Author: Didier Stevens: License: Public Domain State File:

Website: Author: Didier Stevens: License: Public Domain State File:

Website: Author: Didier Stevens: License: Public Domain State File:

Website: Author: Didier Stevens License: Free, unknown license State File:

Website: Author: Didier Stevens: License: Public Domain Notes: xorsearch State File:

Website: Author: FireEye Inc, Willi Ballenthin: , Moritz Raabe License: Apache License 2.0: Notes: floss State File:

https://github.com/gchq/CyberChef/
https://github.com/gchq/CyberChef/blob/master/LICENSE
remnux.tools.cyberchef
https://github.com/MITRECND/malchive
https://github.com/MITRECND/malchive/graphs/contributors
https://github.com/MITRECND/malchive/blob/main/LICENSE
utilities documentation
remnux.python3-packages.malchive
https://blog.didierstevens.com/2021/05/22/update-1768-py-version-0-0-6/
https://twitter.com/DidierStevens
Quick Tip
remnux.scripts.1768
https://blog.didierstevens.com/2021/11/12/update-cs-decrypt-metadata-py-version-0-0-2/
https://twitter.com/DidierStevens
remnux.scripts.cs-decrypt-metadata
https://github.com/strozfriedberg/cobaltstrike-config-extractor
https://github.com/strozfriedberg/cobaltstrike-config-extractor/blob/master/LICENSE
remnux.python3-packages.csce
https://blog.didierstevens.com/2021/05/22/update-1768-py-version-0-0-6/
https://twitter.com/DidierStevens
remnux.scripts.sets
https://github.com/hellman/xortool
https://github.com/hellman/xortool/blob/master/LICENSE
remnux.python3-packages.xortool
https://github.com/kevthehermit/RATDecoders
https://twitter.com/KevTheHermit
https://github.com/kevthehermit/RATDecoders/blob/master/LICENSE
remnux.python3-packages.ratdecoders
https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP
https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP/blob/master/LICENSE.txt
remnux.python3-packages.dc3-mwcp
https://github.com/garabik/unicode
https://github.com/garabik/unicode/blob/master/COPYING
remnux.python3-packages.unicode
https://github.com/securisec/chepy
https://twitter.com/securisec
https://github.com/securisec/chepy/blob/master/LICENSE
remnux.python3-packages.chepy
https://github.com/decalage2/balbuzard
https://twitter.com/decalage2
https://github.com/decalage2/balbuzard
remnux.python-packages.balbuzard
https://blog.didierstevens.com/2020/07/03/update-base64dump-py-version-0-0-12/
https://twitter.com/DidierStevens
remnux.scripts.base64dump
https://blog.didierstevens.com/2017/06/06/update-xor-kpa-py-version-0-0-5/
https://twitter.com/DidierStevens
remnux.scripts.xor-kpa
https://github.com/hiddenillusion/NoMoreXOR
remnux.scripts.nomorexor
https://github.com/tomchop/unxor/
https://github.com/tomchop/unxor/blob/master/LICENSE
remnux.scripts.unxor
https://github.com/REMnux/distro/blob/master/files/brxor.py
remnux.scripts.brxor
https://eternal-todo.com/category/bruteforcer
remnux.scripts.xorbruteforcer
https://github.com/REMnux/distro/blob/master/files/strdeob.pl
remnux.scripts.strdeob
http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html
remnux.scripts.ex_pe_xor
https://blog.didierstevens.com/2015/10/14/cut-bytes-py/
https://twitter.com/DidierStevens
remnux.scripts.cut-bytes
https://blog.didierstevens.com/2020/02/17/update-format-bytes-py-version-0-0-13/
https://twitter.com/DidierStevens
remnux.scripts.format-bytes
https://blog.didierstevens.com/programs/translate/
https://twitter.com/DidierStevens
remnux.scripts.translate
https://blog.didierstevens.com/2013/04/15/new-tool-xorstrings/
remnux.packages.xorstrings
https://blog.didierstevens.com/programs/xorsearch/
https://twitter.com/DidierStevens
remnux.packages.xorsearch
https://github.com/mandiant/flare-floss
https://twitter.com/williballenthin
https://github.com/mandiant/flare-floss/blob/master/LICENSE.txt
remnux.packages.flare-floss