killchain-compendium/stego/docs/remnux.md

1.0 KiB

ReMnux

Tools

Peepdf

  • Extracting JS from PDF using config file into js_from_pdf.js
echo 'extract js > js_from_pdf.js' > extract_js.conf 
peepdf -s extract_js.conf <file.pdf>

vmonkey

  • Detects malicious VBasic code in documents.
vmonkey <file.doc>

Packaged Binaries

  • Can be identified via entropy or loaded libs
    • The count of libs loaded by a packaged bin is very low. A packaged PE could load GetProcAddress or LoadLibrary.
    • PEiD detects most packers.
    • File Entropy of a packaged is high.

Volatility

volatility -f <file.iso> imageinfo
  • Process list
volatility -f <file.iso> --profile <OSprofile> pslist
  • List dlls
volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>