REMnux — Defencia

→

What REMnux is — and how to run it safely

REMnux is a distribution and a philosophy: collect the best open-source malware-analysis tools, keep them updated, and give the analyst one consistent environment. You can run it as a full VM, add it to an existing Ubuntu install, or pull it as a Docker image for a single tool.

As a virtual machine

The usual choice. Download the OVA, import it, snapshot it clean. Revert to the snapshot after every sample.recommended

On existing Ubuntu

The REMnux installer adds the toolset to a system you already run.remnux install

As Docker containers

Individual tools are published as images — handy for one-off jobs on another host.docker pull remnux/...

Containment is the whole point. You are deliberately handling live malware. Run REMnux in an isolated VM with no bridge to your real network, take a clean snapshot before each analysis, and revert afterwards. Never analyse a live sample on a machine that holds anything you care about. Pair it with a Windows analysis VM and a fake-internet host (INetSim) on an isolated lab network.

Keep it current. Signatures, parsers and tools age quickly. Run remnux upgrade on a fresh, clean VM and re-snapshot, so your baseline is up to date before you start.

→

The analysis workflow

Work from least to most risk. Each phase below answers a different question, and you only escalate when the cheaper phase runs out of answers. This page follows that order — and the per-tool menu above lets you jump straight to any tool.

Phase	Question it answers	Risk
1 · Static	What is this file, without running it? Type, hashes, strings, capabilities, packing.	Low — file never executes.
1·5 · Disasm	How does it work internally? The exact routines, protocols and anti-analysis checks.	Low — read the code, no execution.
2 · Dynamic	What does it do when it runs? Files, registry, processes, network callbacks.	High — sample executes; isolation required.
3 · Documents	How does the lure deliver the payload? Macros, exploits, embedded scripts.	Medium — extract without triggering.
3·5 · Email	How did it arrive, and is the sender forged? Headers, attachments, links.	Medium — extract, never click.
4 · Network	Who does it talk to, and how? C2, exfil, protocols, downloaded stages.	Medium — analyse captures, simulate services.
5 · Memory	What was resident at runtime? Injected code, unpacked payloads, artifacts.	Low — analyse a captured image.
6 · ELF	For Linux samples — the same flow, ELF-native tools, extra isolation.	High if run natively — prefer emulation.

Static triage

Everything you can learn before the sample runs. Cheap, safe, and often enough to classify a file or pull the indicators you need. Always start here.

file

identify

Identifies a file by its content (magic bytes), not its extension. Your first question about any sample: what is it really?

$ file sample.bin
sample.bin: PE32 executable (GUI) Intel 80386, for MS Windows

$ file invoice.pdf
invoice.pdf: PDF document, version 1.7

A "PDF" that reports as a PE executable has told you most of the story already.

Hashing & fuzzy hashing

fingerprint

Record the sample and look it up. Cryptographic hashes identify an exact file; fuzzy hashes (ssdeep) and import hashes (imphash) cluster variants that are merely similar.

$ sha256sum sample.bin            # exact identity — for VT / known-bad lookup
$ ssdeep sample.bin               # fuzzy hash — find near-duplicate variants
$ pehash sample.bin               # imphash + section hashes (PE files)

imphash is powerful for clustering: samples built with the same import table often share one.

strings & FLOSS

extract text

Pull printable text out of a binary — URLs, IPs, commands, mutexes, ransom notes. FLOSS (FLARE Obfuscated String Solver) goes further, decoding strings that the malware obfuscates and only builds at runtime.

$ strings -n 8 sample.bin | less
$ strings -e l sample.bin            # 16-bit little-endian (Windows wide strings)

# FLOSS: recover obfuscated/stacked/encoded strings too
$ floss sample.bin
$ floss --only static -- sample.bin  # skip emulation, faster first pass

Run plain strings first; reach for FLOSS when a sample is clearly hiding its strings.

pestr

PE-aware strings

A strings variant that understands PE files — it extracts ASCII and Unicode strings while staying aware of the executable's structure, so you get cleaner output than raw strings on a Windows binary.

$ pestr sample.exe | less
$ pestr sample.exe | grep -iE "http|\\.dll|cmd|\\\\"   # surface URLs, DLLs, commands, paths

Use pestr as the PE-focused companion to strings; pipe into grep to pull indicators straight out.

pecheck / pedump / peframe

PE structure

Parse the structure of a Windows PE file: headers, sections, imports, exports, resources, and the timestamp. Section entropy and odd import tables hint at packing or malicious intent.

$ pecheck sample.exe                 # pefile-based overview
$ pedump sample.exe                  # detailed header/section/import dump
$ peframe sample.exe                 # quick triage: packer, suspicious APIs, URLs

High-entropy sections (near 8.0) and a tiny import table are classic packing signals — escalate to dynamic.

Manalyze

PE static analyzer

A static analyser for PE files that runs a battery of plugins — packer detection, suspicious imports, embedded URLs, ClamAV signatures, authenticode checks — and scores how dangerous a sample looks, all from the command line.

$ manalyze sample.exe                        # core static report
$ manalyze -p all sample.exe                 # run every plugin
$ manalyze --plugins=peid,clamav,strings sample.exe
$ manalyze -d imports -d resources sample.exe # dump specific PE structures

The plugin verdicts (e.g. "MALICIOUS / packer detected / suspicious imports") give a fast triage score before you commit to deeper analysis.

YARA

pattern rules

Match a sample against rules that describe malware families and techniques. Scan one file or a whole directory of evidence with a rule set.

$ yara -r rules.yar sample.bin               # scan, recursing into rule includes
$ yara -r -s rules.yar /mnt/evidence         # show matching strings, scan a tree
$ yara -r yararules-full.yar suspicious/      # bulk-scan a folder of samples

REMnux ships community rule sets; -s shows exactly which strings matched, which is what you cite.

capa

capabilities

Reads a binary and tells you what it is capable of in plain language — "communicate over HTTP", "encrypt data", "inject into a process" — mapped to ATT&CK and MBC. One of the fastest ways to understand intent.

$ capa sample.exe
$ capa -v sample.exe                 # verbose: show the evidence per capability
$ capa --json sample.exe > capa.json # machine-readable for your report pipeline

capa turns "an unknown EXE" into "a downloader that persists via a run key and talks HTTP" in seconds.

signsrch

crypto signatures

Scans a binary for the signatures of known algorithms and constants — crypto routines (AES, RC4, Base64), compression, and common library code. Tells you how a sample encrypts or encodes its data without reversing it by hand.

$ signsrch sample.exe                # match known algorithm/constant signatures
$ signsrch -e sample.exe             # also scan with relative offsets

Finding the AES S-box or an RC4 key schedule points you straight at the routine to focus on in the disassembler.

TrID & exiftool

type & metadata

TrID identifies file types by statistical signatures when file is unsure. exiftool reads embedded metadata — authors, tools, timestamps, template paths — which often links samples to a common builder or actor.

$ trid sample.bin                    # ranked guesses at the true type
$ exiftool maldoc.docx               # author, creator tool, timestamps, template

Metadata is great for attribution clustering — a shared "Author" or builder string ties samples together.

Detect It Easy (DIE)

packer ID

Identifies compilers, packers and protectors, and visualises section entropy. Confirms whether you are looking at a packed sample before you spend time on dead static analysis.

$ diec sample.exe                    # console Detect It Easy
$ diec -e sample.exe                 # include entropy report

If DIE reports UPX or a known packer, unpack first; if it reports a custom protector, plan for dynamic unpacking.

1·5

Disassembly & reverse engineering

When static triage tells you what a sample can do but you need to know how — the exact decryption routine, the C2 protocol, the anti-analysis checks — you open it in a disassembler. This sits between static and dynamic: still no execution, but far deeper than parsing headers.

Ghidra

decompiler

The NSA's open-source software reverse-engineering suite, bundled with REMnux. Its standout feature is the decompiler — it turns machine code back into readable C-like pseudocode, which is dramatically faster to reason about than raw assembly. Supports scripting and headless batch analysis.

$ ghidraRun                          # launch the GUI; create a project, import the sample

# Headless mode — analyse without the GUI, run a script, export results
$ analyzeHeadless /proj myProject -import sample.exe \
      -postScript ExtractInfo.java -deleteProject

In the GUI: auto-analyse, then read the Decompiler pane next to the disassembly. Headless mode is how you batch-process or integrate Ghidra into a pipeline.

radare2 / rizin

CLI RE framework

A complete command-line reversing framework — disassembler, debugger, hex editor and analysis engine in one. Steep learning curve, but unmatched for scripting and quick terminal-only triage. Rizin is a friendlier fork with the same core.

$ r2 -A sample.exe          # open and auto-analyse
[0x00401000]> afl           # list all functions
[0x00401000]> iz            # strings in the data section
[0x00401000]> ii           # imports
[0x00401000]> pdf @ main    # disassemble the main function
[0x00401000]> axt @ sym.imp.WinExec  # find cross-refs to a suspicious API

The axt (cross-reference) and pdf (print disassembled function) commands are the daily drivers — follow an interesting import back to the code that calls it.

objdump

quick disassembly

The classic GNU binary utility. Not a full RE platform, but perfect for a fast look at headers, sections and a straight disassembly of a binary — especially ELF files — without opening a heavier tool.

$ objdump -d sample            # disassemble executable sections
$ objdump -x sample            # all headers (sections, symbols, dynamic)
$ objdump -T sample            # dynamic symbol table (imported functions)
$ objdump -M intel -d sample   # Intel syntax instead of AT&T

Reach for objdump when you want a quick disassembly in the terminal; switch to -M intel if AT&T syntax slows you down.

Dynamic analysis

Let the sample run in a contained lab and watch what it does. REMnux usually plays the supporting role here — it simulates the internet and observes — while the malware detonates on a separate Windows VM pointed at it.

Before anything runs: isolated network only, clean snapshot taken, no path back to anything real. The Windows victim VM's gateway and DNS should point at your REMnux host, not the actual internet.

INetSim

fake internet

Simulates common internet services — HTTP, HTTPS, DNS, SMTP, FTP and more — so the malware believes it has reached the real world and reveals its behaviour, while nothing actually leaves the lab.

$ sudo inetsim                       # start the simulated services
# config: /etc/inetsim/inetsim.conf  — bind address, which services, fake responses
# point the victim VM's DNS + gateway at this host's IP

INetSim answers every callback, so you capture the malware's full intended conversation without risk.

fakedns / accept-all-ips

DNS redirect

When you want finer control than INetSim's DNS, a fake DNS server resolves every lookup to your analysis host, so all C2 traffic lands where you can see it.

$ fakedns                            # resolve all queries to a chosen IP
$ accept-all-ips start               # route any destination IP to the local host

Pairing fakedns with accept-all-ips means hardcoded IPs and domains both come home to you.

Process & syscall tracing

behaviour

On the Windows victim, Procmon records file/registry/process activity. For Linux malware analysed on REMnux itself, strace and ltrace show the system and library calls a binary makes.

# Linux ELF sample, on REMnux (still isolate!)
$ strace -f -e trace=network,file ./sample 2>trace.txt
$ ltrace -f ./sample 2>ltrace.txt

-f follows child processes; filtering to network/file syscalls keeps the trace readable.

Change tracking (Regshot / Sysmon)

before/after

On the victim VM, snapshot the system before detonation and diff afterwards to see persistence and dropped files. Sysmon gives a richer, timestamped event log of the same activity.

# Workflow (victim VM): Regshot 1st shot → run sample → 2nd shot → compare
# Sysmon: install with a tuned config, then collect Event Log for analysis on REMnux

The diff is where persistence shows itself — new run keys, scheduled tasks, services, dropped binaries.

Unpacking

deobfuscate

Many samples are packed. Known packers unpack statically; custom ones you let run, then dump the unpacked image from memory for fresh static analysis.

$ upx -d packed.exe -o unpacked.exe  # standard UPX
# custom packers: run in the lab, then dump from memory (see Volatility / scdbg)

After unpacking, return to phase 1 — strings, capa and YARA all become useful again on the real payload.

Documents & scripts

Most intrusions start with a lure — an Office document, a PDF, a script. REMnux excels at pulling the payload out of these without opening them in a vulnerable application. The goal is to extract and read, never to trigger.

oletools (olevba, oleid, oledump)

Office macros

The standard toolkit for OLE and Office documents. Detect and extract VBA macros, flag suspicious auto-exec and shell keywords, and deobfuscate what the macro is really doing.

$ oleid suspicious.doc               # quick risk indicators
$ olevba suspicious.doc              # extract + analyse VBA macros
$ olevba --decode --deobf doc.xls    # attempt to deobfuscate strings
$ oledump.py -i suspicious.doc       # list OLE streams; -s N -d to dump one

olevba's IOC and "suspicious keyword" summary points straight at AutoOpen, Shell, and download calls.

rtfobj

RTF exploits

Part of oletools, dedicated to RTF files — a favourite carrier for embedded OLE objects and exploit payloads (e.g. Equation Editor CVEs). Extracts and dumps the embedded objects so you can examine the real payload.

$ rtfobj suspicious.rtf              # list embedded OLE objects + flags
$ rtfobj -s all -d out/ suspicious.rtf  # dump every embedded object to a folder

rtfobj flags known exploit patterns; dump the object, then run file / scdbg on what comes out.

ViperMonkey

VBA emulation

A VBA emulation engine. Where olevba extracts a macro, ViperMonkey runs it in a safe interpreter and emulates the logic — invaluable when a macro is heavily obfuscated and only assembles its real command at runtime.

$ vmonkey suspicious.doc             # emulate the VBA, log actions + deobfuscated values
$ vmonkey -s suspicious.doc          # also display the extracted VBA source

When olevba shows you a wall of Chr() concatenation, ViperMonkey emulates it and prints the final URL or command.

XLMMacroDeobfuscator

Excel 4.0 macros

Excel 4.0 (XLM) macros are an old format heavily abused by malware because many tools miss them. This deobfuscator emulates the XLM macro engine and extracts the hidden formulas and payloads that olevba alone may not reach.

$ xlmdeobfuscator -f suspicious.xls          # emulate XLM macros, print deobfuscated cells
$ xlmdeobfuscator -f book.xlsm --no-indent --output-formula-format "[[CELL]] [[INT-FORMULA]]"

If a spreadsheet looks clean to olevba but still feels wrong, check for XLM macros here — it is a common blind spot.

PDF tools (pdfid, pdf-parser, peepdf)

malicious PDF

Examine a PDF's structure for the elements that signal malice — JavaScript, auto-actions, embedded files, launch actions — and extract them for inspection.

$ pdfid.py sample.pdf                # count /JS /JavaScript /OpenAction /Launch /EmbeddedFile
$ pdf-parser.py --search JavaScript sample.pdf
$ pdf-parser.py --object 12 --filter --raw sample.pdf  # dump a decoded object
$ peepdf -i sample.pdf               # interactive analysis shell

A non-zero /OpenAction + /JavaScript count is the textbook malicious-PDF fingerprint.

JavaScript deobfuscation (box-js, js-beautify)

scripts

Malicious JS — from PDFs, HTML smuggling or droppers — is usually obfuscated. Beautify it to read, or run it in a sandboxed interpreter that logs what it tries to do.

$ js-beautify dropper.js > readable.js
$ box-js dropper.js --output-dir out/   # emulate; logs URLs, files, eval'd code

box-js fakes a browser/WScript environment, so the script reveals its download URLs without real execution.

PowerShell & encoded scripts

deobfuscate

Attacker PowerShell is typically base64-encoded and layered. Decode the encoded command, then iteratively peel back the obfuscation to reach the final payload.

# Decode a -EncodedCommand blob (UTF-16LE base64)
$ echo 'BASE64HERE' | base64 -d | iconv -f UTF-16LE -t UTF-8
$ base64dump.py sample.ps1           # find and decode embedded base64 chunks

Decode, read, repeat — encoded PowerShell is often nested several layers deep before the real command appears.

scdbg (shellcode)

shellcode

Emulates extracted shellcode and reports the Windows API calls it makes — so you learn its behaviour without running it on a real system.

$ scdbg -f shellcode.bin             # emulate, log API calls
$ scdbg -f shellcode.bin /findsc     # search for a valid entry offset

The logged API sequence (e.g. URLDownloadToFile → WinExec) is the shellcode's intent in summary form.

3·5

Email & phishing

Most malware arrives by email, so the message itself is evidence. REMnux lets you take a raw .eml or .msg apart safely — read the headers to trace the sender and spot spoofing, then carve out attachments and links and feed them back into the document and static phases. The rule is the same as everywhere here: extract and inspect, never click.

emldump

.eml structure

Didier Stevens' tool for MIME email files. It lists the parts of an .eml — body, headers, each attachment — so you can dump a specific attachment to disk without ever opening the message in a mail client.

$ emldump.py phish.eml               # list MIME parts (index, type, size)
$ emldump.py -s 4 -d phish.eml > attach.bin   # dump part 4 to a file
# Chain straight into Office analysis if the attachment is a maldoc:
$ emldump.py -s 4 -d phish.eml | oledump.py

The pipe into oledump is the classic move — go from raw email to macro analysis without an intermediate file or a single click.

msg / mseextract

Outlook .msg

Outlook saves messages in the binary .msg (OLE) format. These tools convert or extract it — pull the body, headers and attachments out of a .msg into formats the rest of your toolkit understands.

$ msgconvert phish.msg               # convert .msg → .eml (then use emldump)
$ mseextract phish.msg -o out/       # extract streams/attachments from the OLE .msg
$ msgconvert phish.msg && emldump.py phish.eml   # convert, then dissect

Convert .msg to .eml first and the whole emldump workflow opens up — it normalises Outlook's format into standard MIME.

Header analysis

trace & spoofing

The headers tell you where a message really came from and whether it is forged. Read the Received: chain bottom-up to trace the path, and check the authentication results for SPF, DKIM and DMARC failures that betray spoofing.

$ emldump.py -H phish.eml            # dump the full header block

# Trace the origin: Received lines, read bottom to top
$ grep -i "^Received:" phish.eml

# Check sender authentication
$ grep -iE "spf=|dkim=|dmarc=|Authentication-Results" phish.eml

# Compare the real envelope sender vs the displayed From
$ grep -iE "^(Return-Path|From|Reply-To):" phish.eml

A mismatch between Return-Path, From and Reply-To, plus spf=fail or dkim=fail, is the fingerprint of a spoofed phish.

Thunderbird

safe viewer

REMnux ships Thunderbird configured for analysis — remote content blocked, scripting off — so you can safely render a suspicious message to see what the victim saw, inspect the real link targets behind display text, and read the source.

$ thunderbird                        # open a saved .eml: File → Open Saved Message
# View → Message Source (Ctrl+U) for raw headers + body
# Hover any link to reveal the true destination before trusting display text

Keep remote content disabled — rendering a phish should never call home. Use it to see the lure, not to interact with it.

Network analysis

Whether you captured traffic during detonation or were handed a PCAP, REMnux has the tools to reconstruct the conversation: who the sample talked to, what protocols it used, and what it pulled down or sent out.

tshark / Wireshark

packet analysis

The capture and dissection workhorse. Wireshark for interactive GUI work; tshark for scriptable, command-line extraction from a PCAP.

$ tshark -r capture.pcap -Y "http.request"           # show HTTP requests
$ tshark -r capture.pcap -T fields -e ip.dst -e http.host | sort -u
$ tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | sort -u  # queried domains
$ tshark -r capture.pcap --export-objects http,out/  # carve downloaded files

Display filters (-Y) narrow the view; -T fields turns packets into a tidy list you can pipe onward.

Zeek

connection logs

Turns a PCAP into rich, structured logs — connections, DNS, HTTP, TLS, files — that are far easier to triage at scale than raw packets.

$ zeek -r capture.pcap               # produces conn.log, dns.log, http.log, ssl.log, files.log ...
$ cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p service
$ cat dns.log  | zeek-cut query | sort -u

zeek-cut extracts named columns from Zeek logs — perfect for building IOC lists from a capture.

File extraction (tcpxtract / NetworkMiner)

carve transfers

Reconstruct files transferred over the wire — a downloaded second stage, exfiltrated data — straight out of a capture.

$ tcpxtract -f capture.pcap -o carved/    # carve files by signature
# NetworkMiner (GUI): drop in the PCAP, browse reconstructed files / hosts / credentials

A carved payload goes straight back to phase 1 — hash it, run capa, scan with YARA.

TLS interception (mitmproxy)

decrypt C2

Modern malware uses HTTPS. With a proxy in the lab path and its CA trusted on the victim, you can read otherwise-encrypted C2 traffic.

$ mitmproxy --mode transparent       # intercept; install mitm CA on the victim VM
$ mitmdump -w flows.mitm              # headless capture of decrypted flows

Only works while you control the endpoint and can trust the proxy CA — exactly the situation in a lab.

Memory forensics

A memory image captures what was actually running — including code that only exists unpacked in RAM. If you grabbed a dump during dynamic analysis, this is where injected and decrypted payloads surface.

Volatility 3

RAM analysis

The reference framework for memory forensics. Enumerate processes, network connections, injected code and loaded modules from a captured image, and dump suspect regions back to disk.

$ vol -f mem.raw windows.pslist          # running processes
$ vol -f mem.raw windows.pstree          # parent/child — spot anomalous spawns
$ vol -f mem.raw windows.malfind         # injected / unpacked code regions
$ vol -f mem.raw windows.netscan         # network connections at capture time
$ vol -f mem.raw windows.dumpfiles --pid 1337   # dump a process's files

malfind is the headline plugin — it finds the unpacked payload that static analysis could not see.

bulk_extractor

feature carving

Scans an image or dump and carves out features — emails, URLs, IPs, credit-card numbers — without parsing the filesystem, fast and indiscriminate.

$ bulk_extractor -o out/ mem.raw
$ cat out/url.txt | sort -u              # every URL found anywhere in the image

A blunt but effective way to harvest indicators when you do not yet know what you are looking for.

Linux / ELF malware

Not all malware targets Windows. IoT botnets, server implants and coin miners ship as ELF binaries, and REMnux handles them natively — you are on the same OS the sample was built for, so be especially disciplined about isolation. The static → disassembly → emulation flow mirrors the Windows path, with ELF-specific tools.

Extra caution for ELF samples. A Linux binary can run on your REMnux host directly. Never execute an ELF sample on the analysis VM unless it is fully isolated and snapshotted — and prefer emulation (Qiling) over native execution wherever possible.

readelf

ELF structure

The ELF counterpart to the PE-header tools. Reads the headers, sections, segments and symbols of a Linux binary — the first look at how the sample is built, whether it is stripped, and what it links against.

$ readelf -h sample            # ELF header: type, arch, entry point
$ readelf -l sample            # program headers / segments
$ readelf -d sample            # dynamic section — shared library dependencies
$ readelf -s sample            # symbol table (empty = stripped binary)

An empty symbol table means the binary is stripped — expect to lean harder on the disassembler and emulation.

radare2 (ELF)

disassembly

The same radare2 framework from the disassembly phase, applied to ELF. It handles Linux binaries fluently — analyse functions, follow the entry point, and trace calls to suspicious libc functions like system or execve.

$ r2 -A sample
[0x...]> afl                  # functions
[0x...]> pdf @ entry0         # disassemble the entry point
[0x...]> axt sym.imp.system   # who calls system()?
[0x...]> iz                   # data-section strings (C2, paths, commands)

Cross-referencing system, execve and socket imports quickly maps how an ELF implant runs commands and calls home.

Detect It Easy (ELF)

packer ID

DIE detects packers on ELF too — UPX is common on Linux malware, often with a corrupted header to defeat the standard upx -d. DIE confirms the packer and its entropy so you know what you are dealing with.

$ diec sample                  # identify packer/compiler on the ELF
$ upx -d sample -o unpacked     # try standard UPX unpack first

If upx -d fails on a UPX-packed ELF, the header was tampered with — repair it or dump the unpacked process from memory instead.

Qiling

emulation framework

A Python binary-emulation framework built on Unicorn. It runs a binary's instructions in an emulated environment — across architectures, including the ARM/MIPS builds common in IoT malware — so you can observe behaviour and instrument execution without ever running the sample natively.

# Emulate an ELF inside a rootfs, scripted in Python
$ python3 -c '
from qiling import Qiling
ql = Qiling(["./sample"], "/path/to/rootfs", verbose=1)
ql.run()'

Qiling shines for cross-architecture IoT samples: emulate an ARM or MIPS binary on your x86 REMnux host, hook syscalls, and watch what it does — safely.

→

Where to go next

REMnux is one station in a larger toolkit.

Linux foundations

The terminal, filesystem and core DFIR commands underneath everything here.Open Linux guide →

grep cheatsheet

Pattern matching and IOC extraction — used constantly when reading REMnux output.Open grep cheatsheet →

Command reference

The searchable Linux command reference for the wider Defencia infrastructure.Open command reference →

Tool names move. REMnux adds, renames and retires tools over time. If a command here is missing on your build, check the official REMnux tool listing and remnux upgrade — the workflow and phases stay the same even as individual tools change.