============================================================
  Shellcode Analysis
============================================================

  Analyze extracted shellcode from documents, exploits, or injected processes. Covers detection, emulation, and payload identification.

  Related FOR610 Labs: 3.4, 3.5, 4.6, 4.7

────────────────────────────────────────────────────────────

  Step 1: Shellcode Detection
  Tools: xorsearch, yara, capa
  Scan carrier file for shellcode patterns. XORSearch -W
  -d 3 <file> detects common shellcode signatures even
  when XOR-encoded. YARA rules catch known frameworks.

    $ XORSearch -W -d 3 file.bin
    $ yara-rules specimen.bin
    $ capa specimen.exe

  Step 2: Extraction
  Tools: rtfdump-py, oledump-py, pdf-parser-py
  Extract shellcode from carrier. For RTF: rtfdump.py -s
  <group> -H -d > sc.bin. For OLE: oledump.py -s
  <stream> -d > sc.bin. For PDF: pdf-parser.py -o <obj>
  -d sc.bin.

    $ rtfdump.py document.rtf
    $ oledump.py document.docm
    $ pdf-parser.py document.pdf -a

  Step 3: Emulation
  Tools: scdbgc, speakeasy
  Emulate without execution. scdbgc /f sc.bin /s -1
  shows API calls. speakeasy -t sc.bin -r -a x86 for
  deeper emulation. Look for: URL downloads, file
  writes, process creation.

    $ scdbgc /f shellcode.bin /s -1
    $ speakeasy -t specimen.exe -o report.json 2> report.txt

  Step 4: Framework Identification
  Tools: yara, 1768-py
  Check for known frameworks. 1768.py identifies Cobalt
  Strike beacons. YARA rules detect Metasploit, Cobalt
  Strike, custom frameworks. Document beacon config if
  found.

    $ yara-rules specimen.bin
    $ 1768.py shellcode.bin

  Step 5: Conversion to EXE
  Tools: shcode2exe
  Convert shellcode to executable for static analysis:
  shcode2exe sc.bin sc.exe. Then analyze with peframe,
  strings, ghidra.

    $ shcode2exe <shellcode.bin> <output.exe>

  Step 6: String & IOC Extraction
  Tools: strings, floss, cyberchef
  Extract strings from shellcode. Look for: C2 URLs,
  download paths, filename markers, encryption keys. Use
  CyberChef for encoded content.

    $ strings binary.exe
    $ floss specimen.exe
    $ cyberchef

  Step 7: Document Findings
  Record: shellcode offset in carrier, size,
  encoding/XOR key, framework (Metasploit/CS/custom), C2
  address, downloaded payload URL, technique
  (staged/stageless).

────────────────────────────────────────────────────────────
  Tip: 'fhelp cheat <tool>' for full examples
       'Ctrl+G' for interactive cheatsheet browser
