killchain-compendium/stego/docs/remnux.md

# ReMnux
* [Documentation](https://docs.remnux.org/)

## Tools

### Peepdf
* Extracting JS from PDF using config file into `js_from_pdf.js`
```sh
echo 'extract js > js_from_pdf.js' > extract_js.conf 
peepdf -s extract_js.conf <file.pdf>
```

### vmonkey
* Detects malicious VBasic code in documents.
```sh
vmonkey <file.doc>
```

### Packaged Binaries
* Can be identified via entropy or loaded libs
    * The count of libs loaded by a packaged bin is very low. A packaged PE could load `GetProcAddress` or `LoadLibrary`.
    * [PEiD](https://www.aldeid.com/wiki/PEiD) detects most packers.
    * File [Entropy](https://fsec404.github.io/blog/Shanon-entropy/) of a packaged is high.

### Volatility
* [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf)
* Basic Info, find OS profile
```sh
volatility -f <file.iso> imageinfo
```
* Process list
```sh
volatility -f <file.iso> --profile <OSprofile> pslist
```
* List dlls
```sh
volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
```
second commit 2021-08-23 01:13:54 +02:00			`# ReMnux`
			`* [Documentation](https://docs.remnux.org/)`

			`## Tools`

			`### Peepdf`
			* Extracting JS from PDF using config file into `js_from_pdf.js`
			```sh
			`echo 'extract js > js_from_pdf.js' > extract_js.conf`
			`peepdf -s extract_js.conf <file.pdf>`
			```

			`### vmonkey`
			`* Detects malicious VBasic code in documents.`
			```sh
			`vmonkey <file.doc>`
			```

			`### Packaged Binaries`
			`* Can be identified via entropy or loaded libs`
			* The count of libs loaded by a packaged bin is very low. A packaged PE could load `GetProcAddress` or `LoadLibrary`.
			`* [PEiD](https://www.aldeid.com/wiki/PEiD) detects most packers.`
			`* File [Entropy](https://fsec404.github.io/blog/Shanon-entropy/) of a packaged is high.`

			`### Volatility`
			`* [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf)`
			`* Basic Info, find OS profile`
			```sh
			`volatility -f <file.iso> imageinfo`
			```
			`* Process list`
			```sh
			`volatility -f <file.iso> --profile <OSprofile> pslist`
			```
			`* List dlls`
			```sh
			`volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>`
			```