📄
REMnux Documentation
📄
REMnux Documentation
📄
REMnux Documentation
📄
REMnux Documentation
REMnux: A Linux Toolkit for Malware Analysis
Install the Distro
Get the Virtual Appliance
Install from Scratch
Add to an Existing System
Run REMnux as a Container
Keep the Distro Up to Date
Discover the Tools
Examine Static Properties
Statically Analyze Code
General
Unpacking
PE Files
Python
Java
.NET
Flash
Android
Dynamically Reverse-Engineer Code
Perform Memory Forensics
Explore Network Interactions
Investigate System Interactions
Analyze Documents
Gather and Analyze Data
View or Edit Files
General Utilities
Run Tools in Containers
Docker Images of Malware Analysis Tools
Behind the Scenes
People
Technologies
License
Tips and More
REMnux Configuration Tips
REMnux Tool Tips
Malware Analysis Training
REMnux Website
Get Involved
Ask and Answer Questions
Write About the Tools
Add or Update Tools
Implement Enhancements
Powered by GitBook

PE Files

Statically Analyze Code

Malchive

Perform static analysis of various aspects of malicious code.

Website: https://github.com/MITRECND/malchive Author: The MITRE Corporation, https://github.com/MITRECND/malchive/graphs/contributors License: License 2.0: https://github.com/MITRECND/malchive/blob/main/LICENSE Notes: Malchive command-line tools start with the prefix malutil-. See utilities documentation for details. State File: remnux.python3-packages.malchive​

Speakeasy

Emulate code execution, including shellcode, Windows drivers, and Windows PE files.

Website: https://github.com/fireeye/speakeasy Author: FireEye Inc, Andrew Davis License: MIT License: https://github.com/fireeye/speakeasy/blob/master/LICENSE.txt Notes: run_speakeasy.py, emu_exe.py, emu_dll.py State File: remnux.python3-packages.speakeasy​

binee (Binary Emulation Environment)

Analyze I/O operations of a suspicious PE file by emulating its execution.

Website: https://github.com/carbonblack/binee Author: Carbon Black, Kyle Gwinnup, John Holowczak License: GNU General Public License (GPL) v2: https://github.com/carbonblack/binee/blob/master/LICENSE Notes: Before using this tool, place the files your sample requires under /opt/binee-files/win10_32. For example, the Windows DLLs it needs should go /opt/binee-files/win10_32/windows/system32. If you have a Windows 10 64-bit system, you can get the 32-bit DLLs from C:\Windows\SysWOW64 To check which DLLs you might need by examining the import table using the "-i" parameter. State File: remnux.packages.binee​

MBCScan

Scan a PE file to list the associated Malware Behavior Catalog (MBC) details.

Website: https://github.com/accidentalrebel/mbcscan Author: Karlo Licudine: https://twitter.com/accidentalrebel License: GNU General Public License (GPL) v3.0: https://github.com/accidentalrebel/mbcscan/blob/master/LICENSE Notes: mbcscan.py State File: remnux.scripts.mbcscan​

capa

Detect suspicious capabilites in PE files.

Website: https://github.com/fireeye/capa Author: FireEye Inc, Willi Ballenthin: https://twitter.com/williballenthin, Moritz Raabe: https://twitter.com/m_r_tz License: Apache License 2.0: https://github.com/fireeye/capa/blob/master/LICENSE.txt State File: remnux.python3-packages.capa​

Previous
Unpacking
Next
Python
Last updated 3 days ago
Contents
Malchive
Speakeasy
binee (Binary Emulation Environment)
MBCScan
capa