This repository maintains the SaltStack state files for the REMnux distro.
Home Page: https://REMnux.org
This repository contains supplemental files for the REMnux distro and the source files for the Debian packages that the distro installs from the REMnux package repository on Launchpad.
saltstack.log
After following the simple steps to get vbox virtual appliance running, I try remnux upgrade and get:
...
Running: ssh <--------(always fails here)
Update returned exit code not zero
Error: Update returned exit code not zero
at ChildProcess. (/snapshot/remnux-cli/remnux-cli.js:551:23)
at ChildProcess.emit (events.js:315:20)
at maybeClose (internal/child_process.js:1021:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:286:5)
when I go to saltstack.log in the directory that matches the REMnux version I'm upgrading to, after grep searching for [ERROR ] lines (apart from those 'cannot parse lines..') I only find:
[ERROR ] Command '['/opt/viper/bin/pip3', 'install', '--requirement', '/home/remnux/.viper/modules/requirements.txt', '--disable-pip-version-check', '--upgrade']' failed with return code: 1
[ERROR ] stdout: Requirement already up-to-date: androguard==3.3.5 in /opt/viper/lib/python3.6/site-packages (from -r /home/remnux/.viper/modules/requirements.txt (line 4)) (3.3.5)
...
[ERROR ] stderr: WARNING: The directory '/home/remnux/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
ERROR: Package 'scrapysplashwrapper' requires a different Python: 3.6.9 not in '>=3.7,<4.0'
[ERROR ] retcode: 1
[ERROR ] Unable to process requirements file "/home/remnux/.viper/modules/requirements.txt". Error: Requirement already up-to-date: androguard==3.3.5 in /opt/viper/lib/python3.6/site-packages (from -r /home/remnux/.viper/modules/requirements.txt (line 4)) (3.3.5)
But the installation continues...
I tried also installing the new Guest tools, since vm seems pretty slow (even though it's running into a decent host) with default conf. Definitely much slower than v6. Of course tried also cleaning apt caches etc. as indicated before trying each time.
Always fails at the same step (which might rule out network load or connectivity problems)
Might be sth I'm doing incorrectly but it's difficult since upgrading is literally the first action I try on the provided vm.
Attached the log file for reference.
Help apreciated.
Hello again.
I just recently finished a new Python-based tool called dllcharacteristics.py found here.
It is inspired by Didier Steven's setdllcharacteristics tool. Just like the original it can set the flags for DYNAMIC_BASE, NX_COMPAT, and FORCE_INTEGRITY which is helpful for malware analysis and reverse engineering.
I also added new features like the ability to set all other available DLL characteristics options and can also print whether each one is set or not.
Just a brief preview of what it can do:
$ ./dllcharacteristics.py test.exe
Characteristics:
- 0: HIGH_ENTROPY_VA
- 1: DYNAMIC_BASE
- 0: FORCE_INTEGRITY
- 1: NX_COMPAT
- 0: NO_ISOLATION
- 0: NO_SEH
- 0: NO_BIND
- 0: APPCONTAINER
- 0: WDM_DRIVER
- 0: GUARD_CF
- 1: TERMINAL_SERVER_AWARE$ ./dllcharacteristics.py -s NO_BIND 1 -o output.exe test.exe
[INFO] Setting characteristic for NO_BIND to 1
[INFO] Writing to output.exe$ ./dllcharacteristics.py -d 0 -f 1 -n 0 -o output.exe test.exe
[INFO] Setting characteristic for DYNAMIC_BASE to 0
[INFO] Setting characteristic for NX_COMPAT to 0
[INFO] Setting characteristic for FORCE_INTEGRITY to 1
[INFO] Writing to output.exeIf this is something that could benefit Remnux users then I would be happy to make a pull request.
In the process of installing REMnux on a fresh ubuntu 18.04 VM, I would get an installation error. Upon reviewing the saltstack.log I discovered a number of the oletools with "path not found." The installer was looking for the tool in /usr/local/bin however the tools were installed in /usr/bin.
As a work around, I just copied the oletool binaries to the folder the installer was looking at.
# sudo cp /usr/bin/ole* /usr/local/bin/
Please look into this issue.
I am running into an error when trying to use Speakeasy.
AssertionError: Requires unicorn version: 1.0.2rc4
It seems it has something to do with the versioning for Unicorn. Maybe one of the salt-states needs updating? I'm currently looking into this. If I manage to solve it then I'll make a pull-request and update this issue.
To anyone interested, below is the full output of the error:
emnux@remnux:~/malware/cotizacin$ run_speakeasy.py -t cotizacin-s2-cutted.bin -r -a x86
Process Process-1:
Traceback (most recent call last):
File "/usr/local/bin/run_speakeasy.py", line 50, in emulate_binary
sc_addr = se.load_shellcode(fpath, arch)
File "/usr/local/lib/python3.8/dist-packages/speakeasy/speakeasy.py", line 234, in load_shellcode
self._init_emulator(is_raw_code=True)
File "/usr/local/lib/python3.8/dist-packages/speakeasy/speakeasy.py", line 114, in _init_emulator
self.emu = Win32Emulator(config=self.config, logger=self.logger, argv=self.argv,
File "/usr/local/lib/python3.8/dist-packages/speakeasy/windows/win32.py", line 34, in __init__
super(Win32Emulator, self).__init__(config, debug=debug, logger=logger,
File "/usr/local/lib/python3.8/dist-packages/speakeasy/windows/winemu.py", line 96, in __init__
self._parse_config(config)
File "/usr/local/lib/python3.8/dist-packages/speakeasy/windows/winemu.py", line 121, in _parse_config
super(WindowsEmulator, self)._parse_config(config)
File "/usr/local/lib/python3.8/dist-packages/speakeasy/binemu.py", line 92, in _parse_config
self.emu_eng = eng()
File "/usr/local/lib/python3.8/dist-packages/speakeasy/engines/unicorn_eng.py", line 64, in __init__
assert __required_version__ == unicorn_ver, ('Requires unicorn version: %s' %
AssertionError: Requires unicorn version: 1.0.2rc4
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.8/multiprocessing/process.py", line 315, in _bootstrap
self.run()
File "/usr/lib/python3.8/multiprocessing/process.py", line 108, in run
self._target(*self._args, **self._kwargs)
File "/usr/local/bin/run_speakeasy.py", line 58, in emulate_binary
report = se.get_json_report()
File "/usr/local/lib/python3.8/dist-packages/speakeasy/speakeasy.py", line 36, in wrap
raise SpeakeasyError('Emulator not initialized')
speakeasy.errors.SpeakeasyError: Emulator not initialized
* Finished emulating
We recently deployed a vm of Remnux 7 in our environment (going from 6) we attempted to run remnux upgrade and this fails due to a "self signed certificate in certificate chain" This fails immediatly while trying to grab the remnux-salt-stats-v2020.33.6.tar.gz.asc
our systems go through an SSL proxy that does ssl inspection. I added our CA to the OS and the OS grabs what we need just fine, however. I cannot find where to put certs in place that would allow this to be fixed up. most googling shows how to push out CA certs and the like, but not add a trusted CA to salt itself.
if this is not possible, I would like to make this a feature request, if possible.
Can we please port the "accept-all-ips" shell script to 7?
if its not too late what do think of this https://github.com/N1ght-W0lf/HawkEye/blob/master/README.md
Good day,
I couldn't get shellcode2exe.bat to work (Something about read access denied) so I checked it's code and found out that the code is very simple and that it uses Wine to run.
I decided to make my own tool that does the same thing but does not require Wine and also runs on Linux and Windows. Here it is: https://github.com/accidentalrebel/shcode2exe
I believe that this would be an easier to use alternative that would be great for Remnux users. Of course, I am open to suggestions and comments to improve it further.
Thanks!
This is maintained by the debian team. Details here:
Like Chronicle Security's VirusTotal there is a InQuest free/open look at https://labs.inquest.net/ they state the following:
Apologies I thought I originally add this as part of the OP.
Originally posted by @citizenstaar in #71 (comment)
https://github.com/fireeye/stringsifter
Please let me know if its too late for additional requests. I am testing tools as I get a chance.
https://github.com/securisec/chepy
thank you
Many reasons to have this tool. Specifically I am trying to validate the results from testing:
https://github.com/cryptax/droidlysis
Please let me know if more is needed to justify the addition.
Some fixes for broken packages:
python-software-properties has become software-properties-common
graphviz-dev has become libgraphviz-dev
This is where the tool can be found:
https://github.com/hasherezade/bearparser
This is a sample of its usage:
https://github.com/hasherezade/bearparser/wiki/bearcommander
Thank you for your consideration and review.
Have not used but this looks promising. Links:
really like this tool a lot
https://github.com/fireeye/stringsifter
Example is Tekdefense Automater install.
Please reference:
Thank you for your review and consideration.
Rendering SLS 'base:remnux.config.wget' failed: Jinja variable 'dict object' has no attribute 'home'
Rendering SLS 'base:remnux.config.curl' failed: Jinja variable 'dict object' has no attribute 'home'
Sample:
This is a placeholder and not urgent. "Unmaximize" makes the issue go away.
In the readme you have
git clone https://github.com:REMnux/states.git /svr/salt/remnux
but it cant find state.git so I used git clone https://github.com/REMnux/salt-states.git /svr/salt/remnux
When applying the state I get:
salt-call state.apply Function state.apply is not available
This would just be a call to java and the current version of cfr.
Can we please consider the following for inclusion on this release:
https://github.com/JusticeRage/Manalyze
Example of what someone did with the extracted data:
https://pbs.twimg.com/media/EXVACtdVcAArO8E.jpg
My thanks for your review and consideration.
Can we add a short cut for this in the menu? Confirming it does execute.
Looks like version 1.11.3 got removed and 404's
[ERROR ] Failed to cache https://didierstevens.com/files/software/XORSearch_V1_11_3.zip: Error: HTTP 404: Not Found reading https://didierstevens.com/files/software/XORSearch_V1_11_3.zip
Version 1.11.1 is still available.
https://didierstevens.com/files/software/XORSearch_V1_11_1.zip
Hey @ekristen, I was wondering if REMnux supports Ubuntu 18.04 at this stage?
Done. Thanks for the suggestion.
You'll get the dex2jar package if you run remnux upgrade. Could you give it a try, please, to confirm it installs correctly?
Originally posted by @lennyzeltser in #46 (comment)
See:
sls: remnux.packages.dex2jar
changes: {}
comment: "Problem encountered installing package(s). Additional info follows:\n\nerrors:\n
\ - Running scope as unit: run-rfafaf596b13942898abe4928079cb126.scope\n E:
Unmet dependencies. Try 'apt --fix-broken install' with no packages (or specify
a solution)."
duration: 667.667
name: dex2jar
result: false
start_time: '22:21:22.721752'
v2020.25.1
Can we please add this to Remnux 7 (cabextract)?
Thanks as always for your review and consideration.
The readme contains a good overview:
https://github.com/alexandreborges/malwoverview
Thank you for your review and consideration.
Quick documentation: references to games is uneeded and there appears to be some "leftover" material under /usr/local from other installations.
Can we add "CyberChef" to the menu? Confirming it is usable as of v2020.25.1.
Is it of interest to have reference sheet(s) for malware handling by type or tool usage with samples?
Thanks for our review and feedback.
dbohatec@ubuntu:~$ sudo salt-call state.sls remnux
[ERROR ] DNS lookup of 'salt' failed.
[ERROR ] Master hostname: 'salt' not found. Retrying in 30 seconds
[ERROR ] DNS lookup of 'salt' failed.
[ERROR ] Master hostname: 'salt' not found. Retrying in 30 seconds
[ERROR ] DNS lookup of 'salt' failed.
[ERROR ] Master hostname: 'salt' not found. Retrying in 30 seconds
Sorry guys,
Environment:
Pulled remnux-cli, verified, completed your documentation steps, and installed using the sudo remnux install command. Install failed and upon reviewing the saltstack log, I got a "one or more requisite failed: remnux.python-packages.viper-framework..."
Attaching the log file.
saltstack.log
Good day. I have a new tool called MBCScan. It scans a malicious file and then lists the related MBC behaviors (Malware Behavior Catalog). MBC is similar to Mitre ATTA&CK but is specifically made for cataloguing malware. More info here.
The tool determines the MBC behaviors using Flare's Capa as a library. The information is then presented via an interactive mode to make it easy to go through the result.
I am hoping this tool can be added to Remnux to spread more awareness about the MBC project. I think it has a lot of potential especially for making standardized malware reporting.
Here is a sneak peak of the tool:
$ sha256sum test.bin
f8ad6ecb49e68ac7cf261551f01d8ef3348e347cf4239368a26bb2b3ec372904 test.bin
$ ./mbcscan.py -i test.bin
[INFO] Setting up mbc database...
[INFO] Scanning test.bin...
================================================================================
Behaviors list:
================================================================================
(0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
(1) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
(2) [C0003.003] Communication Micro-objective::Read Pipe::Interprocess Communication
(3) [C0003.004] Communication Micro-objective::Write Pipe::Interprocess Communication
(4) [C0045] File System Micro-objective::Copy File
(5) [C0047] File System Micro-objective::Delete File
(6) [C0051] File System Micro-objective::Read File
(7) [C0052] File System Micro-objective::Writes File
(8) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
(9) [C0040] Process Micro-objective::Allocate Thread Local Storage
(10) [C0042] Process Micro-objective::Create Mutex
(11) [C0041] Process Micro-objective::Set Thread Local Storage Value
(12) [C0018] Process Micro-objective::Terminate Process
__ ___ ____ ______ _____
/ |/ // __ ) / ____// ___/ _____ ____ _ ____
/ /|_/ // __ |/ / \__ \ / ___// __ `// __ \
/ / / // /_/ // /___ ___/ // /__ / /_/ // / / /
/_/ /_//_____/ \____/ /____/ \___/ \__,_//_/ /_/
Type "?" r "help" to display help.View the details of a specific entry with the select command.
(mbcscan) s 3
================================================================================
Name: Write Pipe::Interprocess Communication
================================================================================
MBC_ID: attack-pattern--0947cd27-a2b6-466f-b47c-4d36e4ce06cb
External ID: C0003.004
Objectives: [OC0006] Communication Micro-objective
Parent: [C0003] Interprocess Communication
Related: [C0003.004] Write Pipe::Interprocess Communication, [C0003.001]
Create Pipe::Interprocess Communication, [C0003.002] Connect
Pipe::Interprocess Communication, [C0003.003] Read
Pipe::Interprocess Communication
Samples: None
External references:
- https://github.com/MBCProject/mbc-markdown/blob/v2.1/micro-behaviors/communication/inter-process.md
--------------------------------------------------------------------------------To view details of other entries, use the query command.
(mbcscan) q x0004
================================================================================
Name: Dark Comet
================================================================================
MBC_ID: malware--19d14868-ff81-4c8c-9a6a-c57baf7e7f52
External ID: X0004
Objectives: None
Parent: None
Related: None
Samples: None
Description: A Remote Access Trojan (RAT) that allows a user to control the
system via a GUI. It has many features which allows a user to use
it as administrative remote help tool; however, DarkComet has
many features which can be used maliciously. DarkComet is
commonly used to spy on the victims by taking screen captures,
key-logging, or password stealing.
External references:
- https://github.com/MBCProject/mbc-markdown/blob/v2.1/xample-malware/dark-comet.md
- https://en.wikipedia.org/wiki/DarkComet
--------------------------------------------------------------------------------I can open a pull request if you think this would be a good fit for Remnux users. Thanks!
It seems if I run Ghidra after having a prior project it attempts to open the project and is stuck on load(you cannot cancel via the GUI).
Kill running instance of java.
Removal or movement of prior projects.
Reopen Ghidra
Can we add apktool? Thank you for reviewing.
Can we add "NetworkMiner" to the menu? Confirming it executes as of v2020.25.1.
Can we add jd-guil? Thank you for reviewing.
Not sure the preference on the format for requesting tools. But can we please add dex2jar.
Thank you for reviewing.
Hi
I'v tried many ways to install remnux on ubuntu 16.04 but it is not possible.
Remnux-cli doesn't work, tried Salt State way but I stucked on the third point .
git clone https://github.com:REMnux/states.git /srv/salt cannot be download because there is no such file as states.git in remnux repository.
I don't think that now with distro 16.04.6 LTS (Xenial Xerus) it is possible to install remnux.
If someone can show me trusted way to do it I will be very greatfull :)
Reference can be found here:
https://github.com/carbonblack/binee
This is in the binary simulation space. Thanks.
Please reference:
https://blog.didierstevens.com/2018/12/10/update-rtfdump-py-version-0-0-9/#comments
Thank you for your review and consideration.
Reference for tool can be found here:
https://github.com/inquest/python-inquestlabs
Thank you for your review.
A different member of the community documented the installation and their usage of dnspy here:
https://ccifra.github.io/PortingWPFAppsToLinux/Overview.html
In the current build you need to add dotnet to the current wine install.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.