Ultimate Packet for Executables - UPX

Overview

UPX achieves an excellent compression ratio and offers very fast decompression. Your executables suffer no memory overhead or other drawbacks for most of the formats supported, because of in-place decompression. 

UPX strengths in a nutshell:

ºexcellent compression ratio: typically compresses better than WinZip/zip/gzip, use UPX to decrease the size of your distribution!
ºvery fast decompression: ~10 MB/sec on an ancient Pentium 133, ~200 MB/sec on an Athlon XP 2000+.
ºno memory overhead for your compressed executables because of in-place decompression.
ºsafe: you can list, test and unpack your executables. Also, a checksum of both the compressed and uncompressed file is maintained internally.
ºuniversal: UPX can pack a number of executable formats.
ºportable: UPX is written in portable endian-neutral C++.
ºextendable: because of the class layout it's very easy to add new executable formats or new compression algorithms.
ºfree: UPX is distributed with full source code under the GNU General Public License v2+, with special exceptions granting the free usage for commercial programs as stated in the UPX License Agreement.

You probably understand now why we call UPX the "Ultimate Packer for eXecutables". UPX aims to be commercial quality free software, based on experience with our previous packers (DJP, lzop, and the NRV library).

Download UPX

Read More

PE Tools - PEiD

PEiD

Description

ºPEiD detects most common packers, cryptors and compilers for PE files.
ºIt can currently detect more than 470 different signatures in PE files.
ºIt seems that the official website (www.peid.info) has been discontinued. Hence, the tool is no longer available from the official website but it still hosted on other sites.



Signatures

Update your signatures (initial file is empty). Replace the initial userdb.txt file with one of these files:

ºhttp://handlers.sans.org/jclausing/userdb.txt
ºhttp://reverse-engineering-scripts.googlecode.com/files/UserDB.TXT
ºhttp://research.pandasecurity.com/blogs/images/userdb.txt

Section Viewer

PE disassembler

PE details

Extra information

Menu

Generic OEP Finder


In some cases, PEiD can find the Original Entry Point (OEP) of a packed executable:

Krypto Analyzer

Download PEiD

Read More

Debugging Tools for Windows - WinDbg

WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft.[1] Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development. It can be used to debug user mode applications, device drivers, and the operating system itself in kernel mode. Like the better-known Visual Studio Debugger it has a graphical user interface (GUI), but is more powerful and has little else in common.

WinDbg can be used for debugging kernel-mode memory dumps, created after what is commonly called the Blue Screen of Death which occurs when a bug check is issued.[2] It can also be used to debug user-mode crash dumps. This is known as post-mortem debugging.[3]

WinDbg can automatically load debugging symbol files (e.g., PDB files) from a server by matching various criteria (e.g., timestamp, CRC, single or multiprocessor version) via SymSrv (SymSrv.dll),[4] instead of the more time-consuming task of creating a symbol tree for a debugging target environment. If a private symbol server is configured, the symbols can be correlated with the source code for the binary. This eases the burden of debugging problems that have various versions of binaries installed on the debugging target by eliminating the need for finding and installing specific symbols version on the debug host. Microsoft has a public symbol server that has most of the public symbols for Windows 2000 and later versions of Windows (including service packs).[5]

Recent versions of WinDbg have been and are being distributed as part of the free Debugging Tools for Windows suite, which shares a common debugging back-end between WinDbg and command line debugger front-ends like KD, CDB, and NTSD. Most commands can be used as is with all the included debugger front-ends.

Download WinDbg 

Read More

PE Tools v1.5

New in this version:

ºAdded Generic OEP Finder
ºDumpFixer added to Section Editor
ºNew signatures added (Tnx: .Cryorb/dyn!o/DeMoNiX/Aster!x/FEUERRADER)
ºPE Sniffer code is optimized
ºAbility to increment SizeOfHeaders added
ºNew plugin added - Recover UPX by Quantum
ºAdded ToolBar
ºAll options are saved in INI file now
ºControl elements are changed a little in Sections Editor and Directory Editor
ºExamples of plugins in MASM32/Delphi are added to SDK
ºSignature creation utility (SignMan) is now distributed along with the main package
ºPE Tools won't allow to edit IMAGE_DOS_HEADER if offset on ºIMAGE_OPTIONAL_HEADER is less than size of IMAGE_DOS_HEADER
ºNew version of update module (UUpdateSystem.dll)
ºMMF functions are re-written
ºBug in File Location Calculator removed (Tnx: cyberbob)
ºBug in Kill Section (from file) removed
ºSmall bug in process dumper is removed
ºBug in Task Viewer removed
ºBug in Break & Enter removed
ºBug with options saving is removed
ºPE Tools now works fine on Win95 (Tnx: Lepton)
ºSections processing algorithm is significantly changed


Description:

This is a fully-functional utility for working with PE/PE +(64bit) files. Including: Editor PE of files, Task Viewer, Win32 PE files optimizer, detector of compiler/packer and many other things.

The basic functions of the program:

ºTask Viewer
ºProcess dump
ºDump Full
ºDump Partial
ºDump Region
ºAbility to dump .NET CLR processes
ºAutomatic removal of protection " Anti Dump Protection "
ºChange of a priority of process
ºKill process
ºLoading of process into PE Editor and PE Sniffer
ºGeneric OEP Finder
ºPE Sniffer
ºSearch of the compiler/packer used
ºAbility to update signature base
ºAbility to scan directories
ºPE Rebuilder
ºOptimization of a PE file
ºChange of PE address base of a file
ºPE Editor
ºEditing of DOS heading
ºSupport of new PE+(64bit) format
ºCRC correction
ºViewing and editing tables of import/export

Download PE Tools

Read More

System monitoring and debugging suite - Windows Sysinternals

Windows Sysinternals is a comprehensive suite of tools that can be used to debug, analyze, and monitor applications running on windows and even Windows operating system itself. An example of one of the more powerful tools in the suite is the Process Explorer which reports all of the files, directories, and programs that an application accesses during its execution.

Download Windows Sysinternals 

Read More

The GNU Project Debugger - GDB

The GNU Debugger, usually called just GDB and named gdb as an executable file, is the standard debugger for the GNU operating system. However, its use is not strictly limited to the GNU operating system; it is a portable debugger that runs on many Unix-like systems and works for many programming languages, including Ada, C, C++, Objective-C, Free Pascal, Fortran, Java[1] and partially others

Download GDB 

Read More

Immunity debugger

A debugger or debugging tool is a computer program that is used to test and debug other programs (the "target" program). The code to be examined might alternatively be running on an instruction set simulator (ISS), a technique that allows great power in its ability to halt when specific conditions are encountered. but which will typically be somewhat slower than executing the code directly on the appropriate (or the same) processor. Some debuggers offer two modes of operation—full or partial simulation—to limit this impact.

A "trap" occurs when the program cannot normally continue because of a programming bug or invalid data. For example, the program might have tried to use an instruction not available on the current version of the CPU or attempted to access unavailable or protected memory. When the program "traps" or reaches a preset condition, the debugger typically shows the location in the original code if it is a source-level debugger or symbolic debugger, commonly now seen in integrated development environments. If it is a low-level debugger or a machine-language debugger it shows the line in the disassembly (unless it also has online access to the original source code and can display the appropriate section of code from the assembly or compilation).

Download Immunity debugger 

Read More

Interactive Disassembler - IDA

IDA (or the Interactive DisAssembler) is a disassembler for computer software which generates assembly language source code from machine-executable code. It supports a variety of executable formats for different processors and operating systems. It also can be used as a debugger for Windows PE, Mac OS X Mach-O, and Linux ELF executables. A decompiler plug-in for programs compiled with a C/C++ compiler is available at extra cost. The latest full version of IDA Pro is commercial; while an earlier and less capable version is available for download free of charge (version 5.0 as of March 2015)

Download IDA

Read More

Exploring Android Platform - Mercury

The Heavy Metal That Poisoned  the Droid

Mercury is a framework for exploring the Android platform; to find vulnerabilities and share proof-of-concept exploits.

A number of published security assessment methodologies currently exist to support researchers reviewing the security of Android applications and devices. The majority of these methodologies include static analysis methods and require the use of custom scripts and tools to perform single tasks. The general process of assessing the security of Android applications typically involves the following steps:


 ºDownload the target application packages
 ºExtract the application manifests
 ºDecompile the application into readable source code or byte code representations
 ºAnalyse the application manifests and code
 ºWrite a custom application to test anomalies in the entry points of the applications
 ºExploring Android Platform: Mercury documentation


This general process often requires a separate approach for each step, many different tools and lots of time, especially when a large number of applications need to be assessed as part of a project. If the process can be  simplified and tools provided to automate the repetitive parts, it would enable a security researcher to assess applications and devices in a more consistent manner and ultimately perform more comprehensive assessments.  This could also be done in less time whilst providing more assurance. Mercury is a framework that solves this problem by providing interactive tools that allow for dynamic interactions  with the target applications running on a device. This dynamic interaction greatly benefits vulnerability hunters and auditors who are under time constraints. At the time of writing, there were no known frameworks for performing dynamic analysis on Android, making Mercury unique in its space.

This paper will lay the foundations for performing dynamic analysis and finding ways to automate some of the tasks that are needed when assessing the security of Android applications and devices. It will also delve into some  techniques that could be used by malicious applications with minimal permissions to steal information from devices.

Exploring Android Platform

Mercury allows you to assume the role of a low-privileged Android app, and to interact with both other apps and the system.

Use dynamic analysis on Android applications and devices for quicker security assessments
Share publicly known methods of exploitation on Android and proof-of-concept exploits for applications and devices
Write custom tests and exploits, using the easy extensions interface

Mercury allows you to:

1. Interact with the 4 IPC endpoints – activities, broadcast receivers, content providers and services
2. Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see)
3. Find information on installed packages with optional search filters to allow for better control
4. Built-in commands that can check application attack vectors on installed applications
5. Transfer files between the Android device and your computer
6. Create new modules to exploit your latest finding on Android, and playing with those that others have found


Mercury does all of this over the network: it does not require ADB.

Download Mercury

Read More

Cross Platform ELF Analysis - ELF Parser

How do I compile it?

ELF Parser can be compiled on Windows, OS X, or Linux (demangling and unit tests don’t work on Windows). Windows uses the VS 2010 project in the base directory for compilation whereas Linux/OS X uses CMake. Compiling on Linux goes like this:


cd ~/elfparser
mkdir build
cd build/
cmake ..
make


Obviously, you will need to resolve any dependencies. Specifically, Boost is required and Qt is required for the GUI build.


Compile Targets


ELF Parser has a number of compilation targets that can be configured by CMakeLists.txt. The targets are:

º Unit tests
º CLI build
º GUI build
º Visual Studios build


CLI Usage

The user can pass in a single file (-f) or a directory (-d) of files:


./elfparser-cli --help
options:
  --help                 A list of command line options
  --version              Display version information
  -f [ --file ] arg      The ELF file to examine
  -d [ --directory ] arg The directory to look through.
  -r [ --reasons ]       Print the scoring reasons
  -c [ --capabilities ]  Print the files observed capabilities
  -p [ --print ]         Print the ELF files various parsed structures.

Download ELF Parser

Read More

Reverse engineering - Androguard

Androguard is mainly a tool written in python to play with :

º Dex/Odex (Dalvik virtual machine) (.dex) (disassemble, decompilation),
º APK (Android application) (.apk),
º Android’s binary xml (.xml),
º Android Resources (.arsc).

Features:


º Map and manipulate DEX/ODEX/APK/AXML/ARSC format into full Python objects,
º Diassemble/Decompilation/Modification of DEX/ODEX/APK format,
º Decompilation with the first native (directly from dalvik bytecodes to java source codes)         dalvik decompiler (DAD),
º Access to the static analysis of the code (basic blocks, instructions, permissions (with           database from http://www.android-permissions.org/) …) and create your own static               analysis tool,
º Analysis a bunch of android apps,
º Analysis with ipython/Sublime Text Editor,
º Diffing of android applications,
º Measure the efficiency of obfuscators (proguard, …),
º Determine if your application has been pirated (plagiarism/similarities/rip-off indicator),
º Check if an android application is present in a database (malwares, goodwares ?),
º Open source database of android malware (this opensource database is done on my free     time, of course my free time is limited, so if you want to help, you are welcome !),
º Detection of ad/open source librairies (WIP),
º Risk indicator of malicious application,
º Reverse engineering of applications (goodwares, malwares),
º Transform Android’s binary xml (like AndroidManifest.xml) into classic xml,
º Visualize your application with gephi (gexf format), or with cytoscape (xgmml format), or       PNG/DOT output,
º Integration with external decompilers (JAD+dex2jar/DED/…)

Downlaod Androguard

Read More

MALHEUR - Automatic Analysis of Malware Behavior

A novel tool for malware analysis

Malheur is a tool for the automatic analysis of malware behavior (program behavior recorded from malicious software in a sandbox environment). It has been designed to support the regular analysis of malicious software and the development of detection and defense measures. Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes.

Analysis of malware behavior?

Malheur builds on the concept of dynamic analysis: Malware binaries are collected in the wild and executed in a sandbox, where their behavior is monitored during run-time. The execution of each malware binary results in a report of recorded behavior. Malheur analyzes these reports for discovery and discrimination of malware classes using machine learning.

Malheur can be applied to recorded behavior of various format, as long as monitored events are separated by delimiter symbols, for example as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox and Joebox.

Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It supports four basic actions for analysis which can be applied to reports of recorded behavior:

1. Extraction of prototypes:From a given set of reports, malheur identifies a subset of prototypes representative for the full data set. The prototypes provide a quick overview of recorded behavior and can be used to guide manual inspection.
2. Clustering of behavior Malheur automatically identifies groups (clusters) of reports containing similar behavior. Clustering allows for discovering novel classes of malware and provides the basis for crafting specific detection and defense mechanisms, such as anti-virus signatures.
3. Classification of behavior: Based on a set of previously clustered reports, malheur is able to assign unknown behavior to known groups of malware. Classification enables identifying novel and unknown variants of malware and can be used to filter program behavior prior to manual inspection.
4. Incremental analysis: Malheur can be applied incrementally for analysis of large data sets. By processing reports in chunks, the run-time as well as memory requirements can be significantly reduced. This renders long-term application of malheur feasible, for example for daily analysis of incoming malware programs.

Dependencies

• libconfig >= 1.4, http://www.hyperrealm.com/libconfig/
• libarchive >= 2.70, http://libarchive.github.com/

Debian & Ubuntu Linux
The following packages need to be installed for compiling Malheur on Debian and Ubuntu Linux

gcc
libconfig9-dev
libarchive-dev

For bootstrapping Malheur from the GIT repository or manipulating the automake/autoconf configuration, the following additional packages are necessary.

automake
autoconf
libtool

Mac OS X
For compiling Malheur on Mac OS X a working installation of Xcode is required including gcc. Additionally, the following packages need to be installed via Homebrew

libconfig
libarchive (from homebrew-alt)

OpenBSD
For compiling Malheur on OpenBSD the following packages are required. Note that you need to use gmake instead of make for building Malheur.

gmake
libconfig
libarchive

For bootstrapping Malheur from the GIT repository, the following packages need be additionally installed

autoconf
automake
libtool

Compilation & Installation

From GIT repository first run

$ ./bootstrap

From tarball run

$ ./configure [options]
$ make
$ make check
$ make install

Options for configure

--prefix=PATH           Set directory prefix for installation

By default Malheur is installed into /usr/local. If you prefer a different location, use this option to select an installation directory.

Download MALHEUR

Read More

PEframe - Tool to perform static analysis on Portable Executable malware

PEframe is a open source tool to perform static analysis on Portable Executable malware.

Usage

$ peframe malware.exe
$ peframe [--option] malware.exe

Options

--json         Output in json

--import       Imported function and dll
--export       Exported function and dll

--dir-import   Import directory
--dir-export   Export directory
--dir-resource Resource directory
--dir-debug    Debug directory
--dir-tls      TLS directory

--strings      Get all strings
--sections     Sections information
--dump         Dump all information

Install
Prerequisites

Python 2.6.5 -> 2.7.x

Install
from pypi

# pip install https://github.com/guelfoweb/peframe/archive/master.zip

from git

$ git clone https://github.com/guelfoweb/peframe.git

$ cd peframe

# python setup.py install

Example

$ peframe malware.exe

Short information
------------------------------------------------------------
File Name          malware.exe
File Size          935281 byte
Compile Time       2012-01-29 22:32:28
DLL                False
Sections           4
Hash MD5           cae18bdb8e9ef082816615e033d2d85b
Hash SAH1          546060ad10a766e0ecce1feb613766a340e875c0
Imphash            353cf96592db561b5ab4e408464ac6ae
Detected           Xor, Sign, Packer, Anti Debug, Anti VM
Directory          Import, Resource, Debug, Relocation, Security

XOR discovered
------------------------------------------------------------
Key length         Offset (hex)       Offset (dec)
1                  0x5df4e            384846
2                  0x5df4e            384846
4                  0x5df4e            384846
8                  0x5df4e            384846

Digital Signature
------------------------------------------------------------
Virtual Address    12A200
Block Size         4813 byte
Hash MD5           63b8c4daec26c6c074ca5977f067c21e
Hash SHA-1         53731a283d0c251f7c06f6d7d423124689873c62

Packer matched [4]
------------------------------------------------------------
Packer             Microsoft Visual C++ v6.0
Packer             Microsoft Visual C++ 5.0
Packer             Microsoft Visual C++
Packer             Installer VISE Custom

Anti Debug discovered [9]
------------------------------------------------------------
Anti Debug         FindWindowExW
Anti Debug         FindWindowW
Anti Debug         GetWindowThreadProcessId
Anti Debug         IsDebuggerPresent
Anti Debug         OutputDebugStringW
Anti Debug         Process32FirstW
Anti Debug         Process32NextW
Anti Debug         TerminateProcess
Anti Debug         UnhandledExceptionFilter

Anti VM Trick discovered [2]
------------------------------------------------------------
Trick              Virtual Box
Trick              VMware trick

Suspicious API discovered [35]
------------------------------------------------------------
Function           CreateDirectoryA
Function           CreateFileA
Function           CreateFileMappingA
Function           CreateToolhelp32Snapshot
Function           DeleteFileA
Function           FindFirstFileA
Function           FindNextFileA
Function           GetCurrentProcess
Function           GetFileAttributesA
Function           GetFileSize
Function           GetModuleHandleA
Function           GetProcAddress
Function           GetTempPathA
Function           GetTickCount
Function           GetUserNameA
Function           GetVersionExA
Function           InternetCrackUrlA
Function           LoadLibraryA
Function           MapViewOfFile
Function           OpenProcess
Function           Process32First
Function           Process32Next
Function           RegCloseKey
Function           RegCreateKeyA
Function           RegEnumKeyExA
Function           RegOpenKeyA
Function           RegOpenKeyExA
Function           Sleep
Function           WSAStartup
Function           WriteFile
Function           closesocket
Function           connect
Function           recv
Function           send
Function           socket

Suspicious Sections discovered [2]
------------------------------------------------------------
Section            .data
Hash MD5           b896a2c4b2be73b89e96823c1ed68f9c
Hash SHA-1         523d58892f0375c77e5e1b6f462005ae06cdd0d8
Section            .rdata
Hash MD5           41795b402636cb13e2dbbbec031dbb1a
Hash SHA-1         b674141b34f843d54865a399edfca44c3757df59

File name discovered [43]
------------------------------------------------------------
Binary             wiseftpsrvs.bin
Data               ESTdb2.dat
Data               Favorites.dat
Data               History.dat
Data               bookmark.dat
Data               fireFTPsites.dat
Data               quick.dat
Data               site.dat
Data               sites.dat
Database           FTPList.db
Database           sites.db
Database           NovaFTP.db
Executable         unleap.exe
Executable         explorer.exe
FTP Config         FTPVoyager.ftp
Library            crypt32.dll
Library            kernel32.dll
Library            mozsqlite3.dll
Library            userenv.dll
Library            wand.dat
Library            wininet.dll
Library            wsock32.dll
Text               Connections.txt
Text               ftplist.txt
Text               signons.txt
Text               signons2.txt
Text               signons3.txt

Url discovered [2]
------------------------------------------------------------
Url                RhinoSoft.com
Url                http://0uk.net/zaaqw/gate.php

Meta data found [4]
------------------------------------------------------------
CompiledScript      AutoIt v3 Script
FileVersion         3, 3, 8, 1
FileDescription
Translation         0x0809 0x04b0

Download PEframe

Read More

REMnux v6 - A Linux Toolkit for Reverse-Engineering and Analyzing Malware

REMnux is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software. It strives to make it easier for forensic investigators and incident responders to start using the variety of freely-available tools that can examine malware, yet might be difficult to locate or set up.

The heart of the project is the REMnux Linux distribution based on Ubuntu. This lightweight distro incorporates many tools for analyzing Windows and Linux malware, examining browser-based threats such as obfuscated JavaScript, exploring suspicious document files and taking apart other malicious artifacts. Investigators can also use the distro to intercept suspicious network traffic in an isolated lab when performing behavioral malware analysis.

Malware Analyis Tools Installed on REMnux

The REMnux distribution includes many free tools useful for examining malicious software. These utilities are set up and tested to make it easier for you to perform malware analysis tasks without needing to figure out how to install them. The majority of these tools are listed below.

Examine Browser Malware

• Website analysis: Thug, mitmproxy, Network Miner Free Edition, curl, Wget, Burp Proxy Free Edition, Automater, pdnstool, Tor, tcpextract, tcpflow, passive.py, CapTipper
• Flash: xxxswf, SWF Tools, RABCDAsm, extract_swf, Flare
• Java: Java Cache IDX Parser, JD-GUI Java Decompiler, JAD Java Decompiler, Javassist, CFR
• JavaScript: Rhino Debugger, ExtractScripts, Firebug, SpiderMonkey, V8, JS Beautifier

Examine Document Files

• PDF: AnalyzePDF, Pdfobjflow, pdfid, pdf-parser, peepdf, Origami, PDF X-RAY Lite, PDFtk, swf_mastah
• Microsoft Office: officeparser, pyOLEScanner.py, oletools, libolecf, oledump, emldump
• Shellcode: sctest, unicode2hex-escaped, unicode2raw, dism-this, shellcode2exe

Extract and Decode Artifacts

• Deobfuscate: unXOR, XORStrings, ex_pe_xor, XORSearch, brutexor/iheartxor, xortool, NoMoreXOR, XORBruteForcer, Balbuzard
• Extract strings: strdeobj, pestr, strings
• Carving: Foremost, Scalpel, bulk_extractor, Hachoir

Handle Network Interactions

• Sniffing: Wireshark, ngrep, TCPDump, tcpick
• Services: FakeDNS, Nginx, fakeMail, Honeyd, INetSim, Inspire IRCd, OpenSSH, accept-all-ips
• Miscellaneous network: prettyping.sh, set-static-ip, renew-dhcp, Netcat, EPIC IRC Client, stunnel

Process Multiple Samples

• Maltrieve, Ragpicker, Viper, MASTIFF, Density Scout

Examine File Properties and Contents

• Define signatures: YaraGenerator, IOCextractor, Autorule, Rule Editor
• Scan: Yara, ClamAV, TrID, ExifTool, virustotal-submit, Disitool
• Hashes: nsrllookup, Automater, Hash Identifier, totalhash, ssdeep, virustotal-search, VirusTotalApi

Investigate Linux Malware

• System: Sysdig, Unhide
• Disassemble: Vivisect, Udis86, objdump
• Debug: Evan’s Debugger (EDB), GNU Project Debugger (GDB)
• Trace: strace, ltrace
• Investigate: Radare 2, Pyew, Bokken, m2elf

Edit and View Files

• Text: SciTE, Geany, Vim
• Images: feh, ImageMagick
• Binary: wxHexEditor, VBinDiff
• Documents: Xpdf

Examine Memory Snapshots

• Volatility Framework, findaes, AESKeyFinder, RSAKeyFinder, VolDiff, Rekall

Statically Examine PE Files

• Unpacking: UPX, Bytehist, Density Scout, PackerID
• Disassemble: objdump, Udis86, Vivisect
• Find anomalies: Signsrch, pescanner, ExeScan, pev, Peframe, pedump
• Investigate: Bokken, RATDecoders, Pyew, readpe.py, PyInstaller Extractor

Investigate Mobile Malware

• Androwarn, AndroGuard

Perform Other Tasks

• ProcDOT, bashhacks, Docker, vtTool, REMnux Updater, Decompyle++

REMnux Documentation 

REMnux documentation is a relatively recent effort, which can provide additional details regarding the toolkit. The document set in need of improvement and expansion.

The one-page REMnux cheat sheet highlights some of the most useful tools and commands available as part of the REMnux distro. It’s an especially nice starting point for people who are new to the distribution. 

• Malware Analysis Essentials Using REMnux

Download REMnux v6

Read More

Engenharia reversa

Read More