Boxed REMnux in your Browser
REMnux malware analysis toolkit in your browser — a Dockerized XFCE desktop with noVNC access.
Built on the official [`remnux/remnux-distro:noble`](https://hub.docker.com/r/remnux/remnux-distro) image with XFCE4, TigerVNC, and noVNC layered on top.
## Prerequisites
- [Docker](https://docs.docker.com/get-docker/)
- A browser
- ~15 GB disk space for the image
- At least 4 GB RAM allocated to Docker
## Quick Start
git clone
boxed-remnux
cd boxed-remnux
# Build the image
make build
# Start the container
make start
# Open in browser
make browser
Or manually:
docker build -t boxed-remnux .
docker run --rm -d -p 9020:8080 -p 5901:5900 --name boxed-remnux boxed-remnux
Then open **http://localhost:9020/vnc.html** and connect with password `remnux`.
## Commands
| Command | Description |
|---------|-------------|
| `make build` | Build the Docker image |
| `make start` | Start container in background |
| `make stop` | Stop and remove container |
| `make browser` | Open noVNC in default browser |
| `make logs` | View container logs |
| `make shell` | Open a bash shell in the running container |
| `make clean` | Remove the Docker image |
## Configuration
Set these environment variables at build time or override at runtime:
| Variable | Default | Description |
|----------|---------|-------------|
| `VNCPWD` | `remnux` | VNC authentication password |
| `VNCDISPLAY` | `1920x1080` | Desktop resolution |
| `VNCDEPTH` | `16` | Color depth (16 or 24) |
| `VNCPORT` | `5900` | VNC server port (container) |
| `NOVNCPORT` | `8080` | noVNC proxy port (container) |
| `VNCEXPOSE` | `1` | Set to `0` for localhost-only VNC |
Override at runtime:
docker run --rm -d \
-p 9020:8080 -p 5901:5900 \
-e VNCPWD=mysecret \
-e VNCDISPLAY=2560x1440 \
-e VNCDEPTH=24 \
--name boxed-remnux boxed-remnux
## Sharing Files
Mount a local directory into the container:
docker run --rm -d \
-p 9020:8080 -p 5901:5900 \
-v /path/to/your/files:/home/remnux/files \
--name boxed-remnux boxed-remnux
## Changing Ports
If the default ports conflict, map them differently:
docker run --rm -d -p 9022:8080 -p 5902:5900 --name boxed-remnux boxed-remnux
# Access at http://localhost:9022/vnc.html
## What's Included
All tools from the [REMnux distro](https://remnux.org/) plus the additional tools listed below.
### REMnux Base Tools
These ship with the official REMnux distro image:
| Tool | Description |
|------|-------------|
| [Ghidra](https://ghidra-sre.org/) | NSA's software reverse engineering framework with decompiler support |
| [radare2](https://rada.re/n/) | Open-source reverse engineering framework and command-line toolset |
| [Rizin](https://rizin.re/) | Fork of radare2 focused on usability for reverse engineering |
| [Wireshark](https://www.wireshark.org/) / tshark | GUI and CLI network protocol analyzer for deep packet inspection |
| [Volatility](https://www.volatilityfoundation.org/) | Advanced memory forensics framework for incident response |
| [YARA](https://virustotal.github.io/yara/) | Pattern-matching tool for malware researchers to classify samples |
| [olevba / oledump](https://github.com/decalage2/oletools) | Analyze VBA macros and OLE objects in Microsoft Office documents |
| [ClamAV](https://www.clamav.net/) | Open-source antivirus engine for detecting malware signatures |
| [pdfid / pdf-parser](https://blog.didierstevens.com/programs/pdf-tools/) | Triage and parse PDF files for suspicious elements |
| [PEframe](https://github.com/guelfoweb/peframe) | Static analysis tool for PE (Portable Executable) malware |
| [Cutter](https://cutter.re/) | GUI for rizin — visual reverse engineering with decompiler |
| [Autopsy](https://www.autopsy.com/) | Digital forensics platform for disk image analysis |
| [Exiftool](https://exiftool.org/) | Read, write, and edit metadata in files and images |
### Added: Static Analysis
| Tool | Description |
|------|-------------|
| [binwalk](https://github.com/ReFirmLabs/binwalk) | Firmware analysis tool for scanning, extracting, and reverse engineering binary images |
| [foremost](https://foremost.sourceforge.net/) | File carving tool that recovers files based on headers, footers, and data structures |
| [hexedit](https://github.com/pixel/hexedit) | Terminal-based hex editor for viewing and editing binary files |
| [Bless](https://github.com/afrantzis/bless) | Full-featured GUI hex editor with multi-tab support |
| [flasm](http://flasm.sourceforge.net/) | Disassembler and assembler for Flash ActionScript bytecode |
| [NASM](https://www.nasm.us/) | Netwide Assembler — portable x86/x64 assembler for crafting shellcode |
| [pefile](https://github.com/erocarrera/pefile) | Python module to read and work with PE (Portable Executable) files |
| [Capstone](https://www.capstone-engine.org/) | Lightweight multi-architecture disassembly framework |
| [Unicorn](https://www.unicorn-engine.org/) | CPU emulator framework for emulating machine code across architectures |
| [Keystone](https://www.keystone-engine.org/) | Multi-architecture assembler framework (companion to Capstone) |
| [Ropper](https://github.com/sashs/Ropper) | ROP gadget finder and binary analysis tool for exploit development |
| [angr](https://angr.io/) | Binary analysis platform with symbolic execution and CFG recovery |
| [dnfile](https://github.com/malwarefrank/dnfile) | Parser for .NET PE files — analyze managed assemblies |
| [pyelftools](https://github.com/eliben/pyelftools) | Python library for parsing and analyzing ELF binaries |
| [oletools](https://github.com/decalage2/oletools) | Toolkit for analyzing Microsoft OLE2 files (Office docs, VBA macros) |
### Added: Dynamic Analysis & Sandbox
| Tool | Description |
|------|-------------|
| [strace](https://strace.io/) | Trace system calls and signals made by a process |
| [ltrace](https://www.ltrace.org/) | Trace library calls made by a process at runtime |
| [GDB](https://www.sourceware.org/gdb/) | GNU Debugger — debug programs at the source or assembly level |
| [Frida](https://frida.re/) | Dynamic instrumentation toolkit for hooking functions in running processes |
| [Speakeasy](https://github.com/mandiant/speakeasy) | Windows kernel and user-mode emulator for malware analysis (by Mandiant) |
| [Malduck](https://github.com/CERT-Polska/malduck) | Malware analysis helper library for config extraction and unpacking |
### Added: Network Analysis & Monitoring
| Tool | Description |
|------|-------------|
| [Sniffnet](https://sniffnet.net/) | Cross-platform GUI network monitor with real-time charts, geolocation, protocol identification, and custom notifications. Built in Rust. ([GitHub](https://github.com/GyulyVGC/sniffnet)) |
| [Snitch](https://github.com/karol-broda/snitch) | Prettier `ss`/`netstat` replacement — interactive TUI and styled tables for inspecting network connections. Written in Go. |
| [ngrep](https://github.com/jpr5/ngrep) | Network grep — match regex patterns against packet payloads in real time |
| [tcpflow](https://github.com/simsong/tcpflow) | Capture and reassemble TCP streams for content analysis |
| [dnsutils](https://www.isc.org/bind/) | DNS lookup utilities (`dig`, `nslookup`, `host`) for domain investigation |
| [mitmproxy](https://mitmproxy.org/) | Interactive HTTPS proxy for intercepting, inspecting, and modifying traffic |
| [proxychains4](https://github.com/haad/proxychains) | Route any TCP connection through SOCKS/HTTP proxies transparently |
| [netcat](https://nmap.org/ncat/) | TCP/UDP Swiss army knife for reading, writing, and tunneling network data |
| [socat](http://www.dest-unreach.org/socat/) | Multipurpose relay for bidirectional data transfer between two channels |
### Added: OSINT & Threat Intelligence
| Tool | Description |
|------|-------------|
| [ioc-finder](https://github.com/fhightower/ioc-finder) | Extract indicators of compromise (IPs, domains, hashes, URLs) from text |
| [vt-py](https://github.com/VirusTotal/vt-py) | Official VirusTotal Python client for querying file/URL/domain reputation |
| [STIX2](https://github.com/oasis-open/cti-python-stix2) | Create and parse STIX 2.x threat intelligence objects |
| [taxii2-client](https://github.com/oasis-open/cti-taxii-client) | Client library for consuming TAXII 2.x threat intel feeds |
| [whois](https://github.com/rfc1036/whois) | Query WHOIS databases for domain and IP registration details |
### Added: Productivity & Scripting
| Tool | Description |
|------|-------------|
| [tmux](https://github.com/tmux/tmux) | Terminal multiplexer — split panes, persistent sessions |
| [vim](https://www.vim.org/) | Highly configurable text editor |
| [jq](https://jqlang.github.io/jq/) | Command-line JSON processor for parsing and transforming data |
| [CyberChef CLI](https://github.com/gchq/CyberChef) | Command-line interface for GCHQ's data transformation toolkit |
| [SQLite3](https://www.sqlite.org/) | Lightweight SQL database engine — useful for querying malware databases |
| [p7zip](https://github.com/p7zip-project/p7zip) | 7-Zip archive tool supporting many formats (7z, RAR, ZIP, CAB, etc.) |
| [curl](https://curl.se/) / [wget](https://www.gnu.org/software/wget/) | Command-line HTTP clients for downloading samples and interacting with APIs |
| [git](https://git-scm.com/) | Version control — clone YARA rules repos, tool sources, and more |
## Architecture Note
The base REMnux image is `linux/amd64`. On Apple Silicon (M-series) Macs, Docker will run it through emulation (Rosetta). Expect slightly slower performance.