Because sometimes you just want your file manager to behave like a SOC analyst.

Ranger For SOC.md

🧠 Ranger God Preview Mode

Turn ranger into a full terminal malware triage & reverse engineering dock.

This is a heavily modified scope.sh preview script that transforms ranger into:

• Red Team Recon Dock
• Malware Research Quick Triage
• Threat Intel IOC Extractor
• Binary Static Recon Tool

All triggered automatically when you highlight files inside ranger.

---

✨ Features

🩸 Red Team Reverse Dock

• ELF mitigation detection (RELRO, NX, PIE, Canary)
• Function symbol preview
• Import table quick scan
• ROP gadget quick preview
• Syscall indicator detection
• Section entropy overview
• Packed binary heuristics
• Radare2 structural summary

---

🧠 Malware Threat Intel Mode

• File hashing (MD5 / SHA1 / SHA256)

• IOC extraction:

  • URLs
  • Domains
  • IP addresses

• Suspicious API clustering

• Base64 auto detection + decode preview

• Shellcode signature detection

• Packer detection

• YARA scanning support

• ClamAV quick scan support

---

🔍 Binary Intelligence

• Global entropy detection
• Section entropy overview
• String triage filtering
• Hex preview fallback
• Large text file safe preview

---

🎥 Media Preview

• Image preview (native ranger backend)
• Video thumbnail preview

---

⚙️ Dependencies

Minimal:

file
xxd
strings
readelf / objdump
bat (optional but recommended)

Full God Mode:

checksec
radare2
ropper
yara
clamav
ffmpegthumbnailer

Arch Linux example:

sudo pacman -S checksec radare2 ropper yara clamav ffmpegthumbnailer bat

---

📦 Scope.sh

#!/usr/bin/env bash

set -o noclobber -o noglob -o nounset -o pipefail
IFS=$'\n'

FILE_PATH="${1}"
IMAGE_CACHE_PATH="${4}"
PV_IMAGE_ENABLED="${5}"

MIMETYPE="$(file --dereference --brief --mime-type -- "${FILE_PATH}")"
FILE_SIZE="$(stat -c%s "${FILE_PATH}")"

divider() {
    printf "\n================================================================\n"
}

section() {
    divider
    printf " %s\n" "$1"
    divider
}

hashes() {
    section "HASHES"
    md5sum "${FILE_PATH}"
    sha1sum "${FILE_PATH}"
    sha256sum "${FILE_PATH}"
}

entropy_total() {
    section "TOTAL ENTROPY"
    python3 - <<EOF
import math
from collections import Counter
data=open("${FILE_PATH}","rb").read()
if not data:
    print("Empty file")
else:
    freq=Counter(data)
    entropy=-sum(c/len(data)*math.log2(c/len(data)) for c in freq.values())
    print(f"Entropy: {entropy:.4f}")
    if entropy > 7.5:
        print("Very High → Packed/Encrypted")
    elif entropy > 6.8:
        print("High → Possibly Packed")
EOF
}

section_entropy() {
    section "SECTION ENTROPY"
    if command -v rabin2 >/dev/null; then
        rabin2 -S "${FILE_PATH}" 2>/dev/null | head -20
    fi
}

elf_mitigations() {
    section "ELF MITIGATIONS"
    if command -v checksec >/dev/null; then
        checksec --file="${FILE_PATH}"
    fi
}

imports() {
    section "IMPORTS"
    readelf -Ws "${FILE_PATH}" 2>/dev/null | grep UND | head -20 || \
    objdump -p "${FILE_PATH}" 2>/dev/null | grep DLL | head -20
}

symbols() {
    section "FUNCTION SYMBOLS"
    nm -C "${FILE_PATH}" 2>/dev/null | grep " T " | head -20
}

rop_preview() {
    section "ROP GADGET PREVIEW"
    if command -v ropper >/dev/null; then
        ropper --file "${FILE_PATH}" --search "pop|ret" 2>/dev/null | head -20
    fi
}

syscall_detect() {
    section "SYSCALL INDICATORS"
    strings -n 6 "${FILE_PATH}" | \
    grep -Ei 'syscall|execve|fork|ptrace|mprotect' | head -15 || echo "None"
}

network_ioc() {
    section "URL / IP / DOMAIN"
    strings -n 6 "${FILE_PATH}" | \
    grep -Eo '(http[s]?://[^"]+|[0-9]{1,3}(\.[0-9]{1,3}){3}|[A-Za-z0-9.-]+\.[A-Za-z]{2,6})' | \
    head -20 || echo "None"
}

suspicious_keywords() {
    section "SUSPICIOUS KEYWORDS"
    strings -n 6 "${FILE_PATH}" | \
    grep -Ei 'cmd\.exe|powershell|wget|curl|nc |bash -i|/bin/sh|VirtualAlloc|CreateRemoteThread|LoadLibrary|WinExec|socket|connect|token|apikey|auth' | \
    head -20 || echo "None"
}

base64_detect() {
    section "BASE64 DETECT"
    strings -n 40 "${FILE_PATH}" | \
    grep -E '^[A-Za-z0-9+/=]{40,}$' | head -3 | \
    while read line; do
        echo "[Encoded]"
        echo "$line"
        echo "[Decoded Preview]"
        echo "$line" | base64 -d 2>/dev/null | head -3
        echo
    done || echo "None"
}

upx_check() {
    section "PACKER CHECK"
    strings "${FILE_PATH}" | grep -i upx | head -3 || echo "No UPX string"
}

shellcode_pattern() {
    section "SHELLCODE SIGNATURE"
    xxd -p "${FILE_PATH}" | tr -d '\n' | \
    grep -o -E '31c0.*cd80' | head -1 || echo "None detected"
}

r2_info() {
    if command -v r2 >/dev/null; then
        section "R2 QUICK INFO"
        r2 -I "${FILE_PATH}" 2>/dev/null | head -20
    fi
}

yara_scan() {
    if command -v yara >/dev/null && [ -d "$HOME/yara_rules" ]; then
        section "YARA SCAN"
        yara -r "$HOME/yara_rules" "${FILE_PATH}" 2>/dev/null | head -20 || echo "No match"
    fi
}

clam_scan() {
    if command -v clamscan >/dev/null; then
        section "CLAMAV QUICK SCAN"
        clamscan --no-summary "${FILE_PATH}" 2>/dev/null || true
    fi
}

text_preview() {
    if [[ "${FILE_SIZE}" -gt 1048576 ]]; then
        head -200 "${FILE_PATH}"
    else
        if command -v bat >/dev/null; then
            bat --color=always --style=numbers "${FILE_PATH}"
        else
            cat "${FILE_PATH}"
        fi
    fi
}

handle_image() {
    case "${MIMETYPE}" in
        image/*) exit 7;;
        video/*)
            ffmpegthumbnailer -i "${FILE_PATH}" -o "${IMAGE_CACHE_PATH}" -s 0 && exit 6
            exit 1;;
    esac
}

if [[ "${PV_IMAGE_ENABLED}" == "True" ]]; then
    handle_image
fi

case "${MIMETYPE}" in

    application/x-executable|application/x-pie-executable|application/x-dosexec)

        section "FILE INFO"
        file "${FILE_PATH}"
        hashes
        elf_mitigations
        imports
        symbols
        rop_preview
        syscall_detect
        suspicious_keywords
        network_ioc
        upx_check
        entropy_total
        section_entropy
        shellcode_pattern
        base64_detect
        r2_info
        yara_scan
        clam_scan
        exit 5;;

    application/octet-stream)

        section "HEX PREVIEW"
        xxd "${FILE_PATH}" | head -40
        hashes
        entropy_total
        base64_detect
        exit 5;;

    text/*|*/xml|application/json)

        text_preview
        exit 5;;

esac

section "GENERIC FILE INFO"
file --brief "${FILE_PATH}"
exit 5

1️⃣ Backup default ranger preview

cp ~/.config/ranger/scope.sh ~/.config/ranger/scope.sh.bak

---

2️⃣ Replace with this script

~/.config/ranger/scope.sh

Make executable:

chmod +x ~/.config/ranger/scope.sh

---

3️⃣ Enable preview in ranger

Inside ranger:

:set preview_images true
:set use_preview_script true

---

🧪 Optional YARA Integration

Create rule directory:

mkdir ~/yara_rules

Drop any rule inside.

Script auto-detects and runs scanning.

---

🧯 Safety Notice

This script performs static preview only. No binaries are executed automatically.

However:

• Always analyze suspicious samples in isolated environments.
• Avoid browsing unknown malware directories casually.
• Ranger preview still reads file contents.

---

🧬 Tested On

• Arch Linux
• X11
• ST terminal
• ueberzugpp preview backend
• DWM window manager

---

💀 Why This Exists

Because opening IDA/Ghidra for quick triage is sometimes overkill.

Sometimes you just want:

cd malware_samples
ranger

…and instantly know what you're dealing with.

---

🤝 Contributions

Feel free to extend:

• VT API integration
• Auto IOC export
• Dynamic sandbox launcher
• Dropper/Loader classification
• PE deep analysis
• Syscall table extraction

---

🧾 License

MIT — Do whatever you want.

---

Built this as a personal experiment turning ranger into a malware triage dock.
Surprisingly useful during quick reversing sessions.