2021-08-23 01:13:54 +02:00
|
|
|
# ReMnux
|
|
|
|
* [Documentation](https://docs.remnux.org/)
|
|
|
|
|
|
|
|
## Tools
|
|
|
|
|
|
|
|
### Peepdf
|
|
|
|
* Extracting JS from PDF using config file into `js_from_pdf.js`
|
|
|
|
```sh
|
|
|
|
echo 'extract js > js_from_pdf.js' > extract_js.conf
|
|
|
|
peepdf -s extract_js.conf <file.pdf>
|
|
|
|
```
|
|
|
|
|
|
|
|
### vmonkey
|
|
|
|
* Detects malicious VBasic code in documents.
|
|
|
|
```sh
|
|
|
|
vmonkey <file.doc>
|
|
|
|
```
|
|
|
|
|
|
|
|
### Packaged Binaries
|
|
|
|
* Can be identified via entropy or loaded libs
|
|
|
|
* The count of libs loaded by a packaged bin is very low. A packaged PE could load `GetProcAddress` or `LoadLibrary`.
|
|
|
|
* [PEiD](https://www.aldeid.com/wiki/PEiD) detects most packers.
|
|
|
|
* File [Entropy](https://fsec404.github.io/blog/Shanon-entropy/) of a packaged is high.
|
|
|
|
|
|
|
|
### Volatility
|
|
|
|
* [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf)
|
|
|
|
* Basic Info, find OS profile
|
|
|
|
```sh
|
|
|
|
volatility -f <file.iso> imageinfo
|
2021-11-07 02:09:10 +01:00
|
|
|
volatility -f <file.iso> kdbgscan
|
2021-08-23 01:13:54 +02:00
|
|
|
```
|
|
|
|
* Process list
|
|
|
|
```sh
|
|
|
|
volatility -f <file.iso> --profile <OSprofile> pslist
|
|
|
|
```
|
|
|
|
* List dlls
|
|
|
|
```sh
|
|
|
|
volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
|
|
|
|
```
|
2021-11-07 02:09:10 +01:00
|
|
|
* Last accessed dir
|
|
|
|
```sh
|
|
|
|
volatility -f <file.iso> --profile <OSprofile> shellbags
|
|
|
|
```
|
2021-08-23 01:13:54 +02:00
|
|
|
|