📄
REMnux Documentation
  • REMnux: A Linux Toolkit for Malware Analysis
  • Install the Distro
    • Get the Virtual Appliance
    • Install from Scratch
    • Add to an Existing System
    • Run REMnux as a Container
    • Keep the Distro Up to Date
  • Discover the Tools
    • Examine Static Properties
      • General
      • PE Files
      • ELF Files
      • .NET
      • Deobfuscation
    • Statically Analyze Code
      • General
      • Unpacking
      • PE Files
      • Python
      • Scripts
      • Java
      • .NET
      • Flash
      • Android
    • Dynamically Reverse-Engineer Code
      • General
      • Shellcode
      • Scripts
      • ELF Files
    • Perform Memory Forensics
    • Explore Network Interactions
      • Monitoring
      • Connecting
      • Services
    • Investigate System Interactions
    • Analyze Documents
      • General
      • PDF
      • Microsoft Office
      • Email Messages
    • Gather and Analyze Data
    • View or Edit Files
    • General Utilities
  • Run Tools in Containers
    • Docker Images of Malware Analysis Tools
  • Behind the Scenes
    • People
    • Technologies
      • SaltStack Management
      • REMnux Installer
      • State Files Without the REMnux Installer
      • Debian Packages
      • Website and Docs
    • License
  • Tips and More
    • REMnux Configuration Tips
    • REMnux Tool Tips
    • Malware Analysis Training
    • REMnux Website
  • Get Involved
    • Ask and Answer Questions
    • Write About the Tools
    • Add or Update Tools
      • Contribute a Salt State File
      • Contribute a Debian Package
      • Contribute a Dockerfile
    • Implement Enhancements
Powered by GitBook
On this page
  • Malchive
  • Speakeasy
  • binee (Binary Emulation Environment)
  • capa
  1. Discover the Tools
  2. Statically Analyze Code

PE Files

Statically Analyze Code

PreviousUnpackingNextPython

Last updated 1 year ago

Malchive

Perform static analysis of various aspects of malicious code.

Website: Author: The MITRE Corporation, License: License 2.0: Notes: Malchive command-line tools start with the prefix malutil-. See for details. State File:

Speakeasy

Emulate code execution, including shellcode, Windows drivers, and Windows PE files.

Website: Author: FireEye Inc, Andrew Davis License: MIT License: Notes: To run the tool, use speakeasy, emu_exe.py, and emu_dll.py commands. State File:

binee (Binary Emulation Environment)

Analyze I/O operations of a suspicious PE file by emulating its execution.

Website: Author: Carbon Black, Kyle Gwinnup, John Holowczak License: GNU General Public License (GPL) v2: Notes: Before using this tool, place the files your sample requires under /opt/binee-files/win10_32. For example, the Windows DLLs it needs should go /opt/binee-files/win10_32/windows/system32. If you have a Windows 10 64-bit system, you can get the 32-bit DLLs from C:\Windows\SysWOW64 To check which DLLs you might need by examining the import table using the "-i" parameter. State File:

Scan a PE file to list the associated Malware Behavior Catalog (MBC) details.

Website: Author: Karlo Licudine: License: GNU General Public License (GPL) v3.0: Notes: mbcscan.py State File:

capa

Detect suspicious capabilities in PE files.

Website: Author: FireEye Inc, Willi Ballenthin: , Moritz Raabe: License: Apache License 2.0: State File:

https://github.com/MITRECND/malchive
https://github.com/MITRECND/malchive/graphs/contributors
https://github.com/MITRECND/malchive/blob/main/LICENSE
utilities documentation
remnux.python3-packages.malchive
https://github.com/fireeye/speakeasy
https://github.com/fireeye/speakeasy/blob/master/LICENSE.txt
remnux.python3-packages.speakeasy
https://github.com/carbonblack/binee
https://github.com/carbonblack/binee/blob/master/LICENSE
remnux.packages.binee
https://github.com/accidentalrebel/mbcscan
https://twitter.com/accidentalrebel
https://github.com/accidentalrebel/mbcscan/blob/master/LICENSE
remnux.scripts.mbcscan
https://github.com/fireeye/capa
https://twitter.com/williballenthin
https://twitter.com/m_r_tz
https://github.com/fireeye/capa/blob/master/LICENSE.txt
remnux.tools.capa