Docker Images of Malware Analysis Tools
The REMnux toolkit provides Docker images of popular malware analysis tools that you can run on any compatible system even without installing the REMnux distro. These images reside in the REMnux repository on Docker Hub, and are based on the files maintained in the REMnux Github repository.
In addition to the Docker images of individual tools, described below, you can run the REMnux distro inside a pre-built Docker container.
Docker is installed as part of the REMnux distro. If you're planning to run REMnux Docker images on another system, you may need to install Docker. The first time you run an image (e.g., using the docker run command), Docker will automatically download the image from Docker Hub, run it locally as an active container. Your system will need to be connected to the internet to retrieve the image; afterwards, Docker will use a locally cached copy. You can use the docker pull command to update the cached version of the image.
The following Docker images of malware analysis tools are available as part of REMnux. If you have the expertise, consider adding to this collection by contributing a Dockerfile to the REMnux toolkit.
Thug Low-Interaction Honeyclient
Thug is a low-interaction honeyclient for examining suspicious websites. This tool was created by Angelo Dell'Aera. It's licensed under GNU General Public License (GPL) v2. In addition to being available as a Docker image, Thug is also installed as part of the REMnux distro.
One way to run Thug as a Docker image is to invoke it using the following command to open a shell in the container where you can run thug with the desired parameters, such as -F to enable file logging).
docker run --rm -it --entrypoint "/bin/bash" remnux/thugThe password for the container's user thug is thug. The remnux/thug image is hosted on its Docker Hub page.
Binary Refinery
The Binary Refinery™ is a collection of Python scripts that implement transformations of binary data such as compression and encryption. You can chain the tools as necessary to achieve your objective. This toolkit is authored by Jesko Hüttenhain and licensed under the 3-Clause BSD License.
To run Binary Refinery tools within the "remnux/binary-refinery" container, create a directory where you'll store your input files, e.g. ~/workdir. Then, use a command like this to launch the container and have your directory mapped as /home/nonroot/workdir inside the container:
docker run --rm -it -v ~/workdir:/home/nonroot/workdir remnux/binary-refineryThe binary-refinery Docker image is hosted in the REMnux Docker Hub repository.
For documentation about this toolkit, including the listing of its tools, see https://binref.github.io and https://github.com/binref/refinery.
PyLingual Python Bytecode Decompiler
PyLingual is an ML-based decompiler that translates Python 3.9+ bytecode back to source code using transformer models. It was created by UT Dallas Systems Security (syssec-utd) and is licensed under the GNU General Public License (GPL) v3.
To run PyLingual, create a directory where you'll store the .pyc files you plan to decompile. Then, open a shell inside the container:
PyLingual downloads ML models from Hugging Face on first use. To persist the model cache across container runs, mount a second volume:
The remnux/pylingual image is hosted on its Docker Hub page.
RetDec Retargetable Machine-Code Decompiler
RetDec is a decompiler that supports a variety of file formats, including PE and ELF, and several 32 and 64-bit architectures. It was created by Avast Software, and is licensed under MIT License with third-party components that are distributed under their own licenses.
To run RetDec, create a directory where you'll store the files you plan to examine. Then, open a shell inside the container where you can run RetDec commands and have your local directory mapped as /home/retdec/workdir inside the container:
The password for the container's user retdec is retdec. The remnux/retdec image is hosted on its Docker Hub page.
The commands provided by RetDec start with the retdec- prefix and include retdec-decompiler, retdec-unpacker, and retdec-fileinfo.
Rizin Reverse-Engineering Framework
Rizin is a reverse-engineering framework that includes a disassembler and analysis capabilities for a variety of executable formats and architectures. It's licensed under GNU Lesser General Public License (LGPL) v3. This is a fork of the Radare2 project.
To run Rizin, create a directory where you'll store the files you plan to examine. Then, open a shell inside the container where you can run Rizin commands (rizin and others that start with rz-) and have your local directory mapped as /home/nonroot/workdir inside the container:
If you're planning to perform kernel-mode debugging, process tracing, or syscall tracing inside the container, then supply the parameters --cap-drop=ALL --cap-add=SYS_PTRACE when launching it.
The password for the container's user nonroot is nonroot. The remnux/rizin image is hosted on its Docker Hub page.
Radare2 Reverse-Engineering Framework
Radare2 is a reverse-engineering framework that includes a disassembler and analysis capabilities for a variety of executable formats and architectures. It's licensed under GNU Lesser General Public License (LGPL) v3.
To run Radare2, create a directory where you'll store the files you plan to examine. Then, open a shell inside the container where you can run Radare2 commands and have your local directory mapped as /home/nonroot/workdir inside the container:
If you're planning to perform kernel-mode debugging, process tracing, or syscall tracing inside the container, then supply the parameters --cap-drop=ALL --cap-add=SYS_PTRACE when launching it.
The image includes r2ai and decai plugins for LLM-powered reverse engineering. These require an LLM backend such as a cloud API or a local model server like Ollama. To use a cloud API, pass the API key and configure the provider inside r2:
The password for the container's user nonroot is nonroot. The remnux/radare2 image is hosted on its Docker Hub page.
Last updated