最近看到這套 Linux distro - REMnux Linux, 看起來是專門拿來分析惡意軟體用的~
REMnux Linux 專門拿來分析惡意軟體用得 Linux distro
既然是分析惡意軟體用的, 作法也跟一般的 OS 不同, 官方(REMnux.org)下載會是 VirtualBox / VMware / Live CD ISO 檔, 而不是系統安裝光碟.
以下摘錄此 Linux distro 有內建哪些軟體、何種用途 等等, 最新版本請回官方網站去看.
下述摘錄自此篇: REMnux: A Linux Distribution for Reverse-Engineering Malware
Malware Analysis Tools Set Up On REMnux
- Analyze Flash malware: SWFTtools, flasm, flare, RABCDAsm and xxxswf.py and extract_swf.py
- Observe and interact with network activities: Wireshark, Honeyd, INetSim, fakedns, fakesmtp , NetCat, NetworkMiner, ngrep, pdnstool, tcpdump, IRC server (Inspire IRCd) and IRC client (epic5)
- Decode JavaScript: Firefox Firebug, QuickJava and JavaScript Deobfuscator extensions, Rhino debugger, JS-Beautify, SpiderMonkey, V8, Windows Script Decoder, Malzilla and Jsunpackn
- Explore and interact with web malware: Firefox User Agent Switcher extensions, TinyHTTPd, Burp Proxy, Stunnel, Tor , Jsunpackn and torsocks.
- Analyze shellcode: gdb, objdump, Radare, shellcode2exe, libemu (sctest), udis86 (udcli)
- Examine suspicious executables: upx, packerid, bytehist, DensityScout, xorsearch, xortool, TRiD, xortools.py, NoMoreXOR, brutexor, XORBruteForcer, ClamAV, ssdeep, md5deep, pescanner, pev, dism-this, ExeScan, autorule (/usr/local/autorule), distool and Pyew
- Analyze malicious documents: Didier Steven's PDF tools, Origami framework, PDF X-RAY Lite, Peepdf, Jsunpackn, pdftk, pyOLEScanner.py, OfficeMalScanner, and Hachoir
- Decompile Java programs: Jad, JD-gui
- Perform memory forensics: Volatility Framework, bulk_extractor, AESKeyFinder and RSAKeyFinder.
- Handle miscellaneous tasks: unzip, unrar, strings, feh image viewer, SciTE text editor, OpenSSH server, findaes, Xpdf PDF viewer, VBinDiff file comparison/viewer, ProcDot, hack-functions (/usr/local/hack-functions), ExifTool, MASTIFF and XMind.
下述摘錄自此篇: REMnux Usage Tips for Malware Analysis on Linux - 如何使用
- Spot hidden processes: psxview
- List all processes: pslist, psscan
- Show a registry key: printkey -K key
- Extract process image: procexedump
- Extract process memory: memdump, vaddump
- List open handles, files, DLLs and mutant objects: handles, filescan, dlllist, mutantscan
- List services, drivers and kernel modules: svcscan, driverscan, modules, modscan
- View network activities: connscan, connections,
sockets, sockscan, netscan- View activity timeline: timeliner, evtlogs
- Find and extract malware: malfind, apihooks
