This section will contain documentation about the tools installed on the REMnux® distro. Would you like to contribute your insights on REMnux and its tools to expand this document set?
Tools Installed on REMnux
The listing of tools installed on REMnux outlines and categorizes the utilities you can use for analyzing malicious software on REMnux. For additional details, take a look at the XLSX spreadsheet or the XMind-formatted mind map, which outline these tools.
REMnux Cheat Sheet
The one-page REMnux cheat sheet highlights some of the most useful tools and commands available on REMnux. It’s an especially nice starting point for people who are new to the distro.
Recorded REMnux Webcasts
To get started with the REMnux distro and become familiar with some of its capabilities, tune into the following recorded webcasts:
- Malware Analysis Essentials Using REMnux by Lenny Zeltser
- What’s New in REMnux v4 by Lenny Zeltser
- How to analyze malware with REMnux’s reverse-engineering malware tools by Keith Barker
Articles on Using REMnux or its Tools
Here are some of the blog posts and articles written about using REMnux for malware analysis:
- Dynamic Malware Analysis With REMnux by Luis Rocha, continued in part 2
- Memory Forensics With Volatility on REMnux by Luis Rocha, continued in part 2
- Getting What You Want Out of a PDF with REMnux by Glenn Edwards
- REMnux: Reverse-Engineering Malware by Michael Kassner
- Malware Analysis Lab - A Fast and Cost Effective “HowTo” by ThreatConnect
- REMnux Tutorial: Statically Analyse Portable Executablei (PE) Files by Rhydham Joshi, continued in Part 2: Extraction and Decoding of Artifacts
- Analyzing Office Weaponized Documents by dfir it!
- Malicious Documents - PDF Analysis in 5 Steps by Luis Rocha
- REMnux v6 for Malware Analysis: VolDiff by Anuj Soni
- How to Use Thug Honeyclient to Investigate a Malicious Website by John Hubbard
- Hunting for IOCs with ioc-parser by Xavier Mertens
If you write or locate other tutorials or articles that demonstrate the use of REMnux, please let Lenny Zeltser know.
High Native Resolution
When running REMnux as a virtual appliance on a system with a very high native resolution, virtualization software might set the VM’s resolution such that REMnux user interface elements and fonts are tiny, almost unreadable. In this case, you can configure REMnux to scale the fonts and many other UI elements by adding the command
Xft.dpi: 160 to the ~/.Xresources file on REMnux and then rebooting the VM. You can do this by running the following commands on REMnux:
echo "Xft.dpi: 160" > ~/.Xresources reboot
The setting above will persist across reboots, scaling the UI by 160%. An alernative to this method is to execute the following command every time you boot up REMnux, though this approach generally produces less-pleasing results:
xrandr --output Virtual1 --scale 0.6x0.6
Importing Into Old VMware Version
When importing the REMnux virtual appliance into an old version of VMware Workstation, Fusion or Player, you may get the error message that states, “Failed to open virtual machine: Failed to query source for information.” In this case, you should upgrade to a later version of VMware software. If upgrading is not feasible, you may be able to use the VMware OVF Tool to convert the REMnux OVA file to the VMX format.
Mouse Clicks on VMware Fusion
When using VMware Fusion to run the REMnux virtual machine, the VM might stop recognizing the mouse clicks. According to VMware, this occurs when the “virtual machine detects the connected mouse as a USB device and not as a HID device. While the mouse pointer may still move within the virtual machine, mouse clicks do not register.” To address the problem, edit the .VMX file of your REMnux virutal machine to include the following line:
mouse.vusb.startConnected = "FALSE"
Security Tools Blocking Package Downloads
A handful of people running REMnux installation or update scripts within virtual machines noticed that the antivirus tool installed on their underlying host flagged some REMnux packages as malicious and blocked their download. This is a false alarm. However, if you encounter this, you might need to disable the host’s anivirus tool while running the script or whitelist the offending files or URLs to avoid getting them blocked.