Add markdown wiki with 473 pages and zk browser

Generate interlinked wiki from master inventory: 397 tool pages, 15 workflow pages, 27 recipe pages, 33 category pages, plus index. All pages use [[wiki-links]] for cross-navigation between tools, workflows, recipes, and categories (1782 links total). Install zk for interactive browsing with fzf search, tag filtering, and backlink discovery. Add 'fhelp wiki' command and Makefile target. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 19:50:36 +01:00
parent b13db23a5e
commit e62a14dafc
478 changed files with 7683 additions and 5 deletions
@@ -0,0 +1,18 @@
+# Quick APK Triage
+> Fast initial assessment of a suspicious Android app
+
+**Tools:** [[tools/apkid|apkid]], [[tools/apktool|apktool]], [[tools/jadx|jadx]]
+
+## Commands
+```bash
+# Check for packers/obfuscators
+apkid <app.apk>
+# Decompile to smali + resources
+apktool d <app.apk> -o output/
+# Check permissions
+grep 'uses-permission' output/AndroidManifest.xml
+# Decompile to Java source
+jadx <app.apk> -d src/
+```
+
+#recipe #apkid #apktool #jadx
@@ -0,0 +1,15 @@
+# Decode Base64 + XOR Shellcode
+> Extract shellcode encoded as Base64 with an XOR key
+
+**Tools:** [[tools/base64dump-py|base64dump-py]], [[tools/translate-py|translate-py]]
+**FOR610 Lab:** 3.4
+
+## Commands
+```bash
+# Find Base64 strings
+base64dump.py <script.ps1> -n 10
+# Decode Base64, then XOR with key
+base64dump.py <script.ps1> -s <selection> -d | translate.py 'byte ^ <key>' > shellcode.bin
+```
+
+#recipe #base64dump-py #translate-py
@@ -0,0 +1,19 @@
+# Filter Capabilities by Technique
+> Find specific capabilities in capa output
+
+**Tools:** [[tools/capa|capa]]
+**FOR610 Lab:** 1.4, 5.4
+
+## Commands
+```bash
+# Full capabilities report
+capa <sample>
+# Verbose with rule matches
+capa -vv <sample>
+# Filter for specific technique
+capa -vv <sample> | grep -A7 '<technique_name>'
+# Find injection-related capabilities
+capa -vv <sample> | grep -A7 'inject\|hollow\|suspend'
+```
+
+#recipe #capa
@@ -0,0 +1,15 @@
+# Parse Cobalt Strike Beacon Configuration
+> Extract C2 config from a Cobalt Strike beacon or shellcode
+
+**Tools:** [[tools/1768-py|1768-py]], [[tools/yara|yara]]
+**FOR610 Lab:** 3.4
+
+## Commands
+```bash
+# Scan with YARA for CS signatures
+yara-rules <sample>
+# Extract beacon configuration
+1768.py <sample_or_shellcode.bin>
+```
+
+#recipe #1768-py #yara
@@ -0,0 +1,14 @@
+# Visual XOR/Base64 Decode with CyberChef
+> Use CyberChef's recipe builder for multi-step decoding
+
+**Tools:** [[tools/cyberchef|cyberchef]]
+
+## Commands
+```bash
+# Launch CyberChef
+cyberchef
+# Common recipe: From Hex → XOR (key) → extract strings
+# Common recipe: From Base64 → Decode text UTF-16LE
+```
+
+#recipe #cyberchef
@@ -0,0 +1,19 @@
+# Set Up DNS + HTTP Interception
+> Redirect all malware DNS queries and serve fake HTTP responses
+
+**Tools:** [[tools/fakedns|fakedns]], [[tools/httpd|httpd]], [[tools/inetsim|inetsim]]
+
+## Commands
+```bash
+# Option A: Simple DNS + HTTP
+fakedns &
+httpd &
+# Option B: Full service emulation (HTTP, HTTPS, DNS, FTP, SMTP)
+inetsim
+# Verify DNS is working
+nslookup anything.com
+# Redirect hardcoded IPs too
+iptables -t nat -A PREROUTING -i eth0 -j REDIRECT
+```
+
+#recipe #fakedns #httpd #inetsim
@@ -0,0 +1,18 @@
+# Decompile .NET on Command Line
+> Decompile a .NET assembly to C# source on REMnux
+
+**Tools:** [[tools/ilspycmd|ilspycmd]], [[tools/de4dot|de4dot]]
+**FOR610 Lab:** 4.8
+
+## Commands
+```bash
+# Decompile to C# source
+ilspycmd <assembly.exe> > source.cs
+# Search for suspicious patterns
+grep -n 'Assembly.Load\|WebClient\|Process.Start' source.cs
+# If obfuscated, deobfuscate first
+de4dot <assembly.exe>
+ilspycmd <assembly-cleaned.exe> > source_clean.cs
+```
+
+#recipe #ilspycmd #de4dot
@@ -0,0 +1,18 @@
+# Extract and Triage Email Attachments
+> Pull attachments from an email and identify their types
+
+**Tools:** [[tools/emldump-py|emldump-py]], [[tools/file|file]], [[tools/sha256sum|sha256sum]]
+
+## Commands
+```bash
+# List email structure
+emldump.py <email.eml>
+# Extract all attachments
+emldump.py <email.eml> -d
+# Identify file types
+file attachment_*
+# Compute hashes for lookup
+sha256sum attachment_*
+```
+
+#recipe #emldump-py #file #sha256sum
@@ -0,0 +1,12 @@
+# Deobfuscate Excel 4.0 (XLM) Macros
+> Extract and decode legacy Excel macros hidden in sheets
+
+**Tools:** [[tools/xlmmacrodeobfuscator|xlmmacrodeobfuscator]]
+
+## Commands
+```bash
+# Deobfuscate XLM macros
+xlmdeobfuscator --file <spreadsheet.xlsm>
+```
+
+#recipe #xlmmacrodeobfuscator
@@ -0,0 +1,19 @@
+# Extract Base64 PowerShell from Office Macro
+> Get encoded PowerShell payload hidden in a VBA UserForm stream
+
+**Tools:** [[tools/oledump-py|oledump-py]], [[tools/base64dump-py|base64dump-py]]
+**FOR610 Lab:** 3.4
+
+## Commands
+```bash
+# List streams — find macro (M) and data streams
+oledump.py <document>
+# Extract VBA source to understand what the macro does
+oledump.py <document> -s <macro_stream> -v
+# Scan data stream for Base64 strings
+oledump.py <document> -s <data_stream> -d | base64dump.py -n 10
+# Decode the longest Base64 hit to file
+oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > payload.ps1
+```
+
+#recipe #oledump-py #base64dump-py
@@ -0,0 +1,19 @@
+# Deobfuscate JavaScript with SpiderMonkey
+> Execute obfuscated JS safely using SpiderMonkey with API simulation
+
+**Tools:** [[tools/js-beautify|js-beautify]], [[tools/spidermonkey|spidermonkey]]
+**FOR610 Lab:** 3.6, 3.7
+
+## Commands
+```bash
+# Beautify compressed JavaScript
+js-beautify <malicious.js> > readable.js
+# Execute with objects.js to simulate browser/WScript APIs
+js -f /usr/share/remnux/objects.js -f <malicious.js> > decoded.js
+# If script expects location.href, edit objects.js first:
+cp /usr/share/remnux/objects.js .
+# Edit objects.js to set: location = { href: 'http://expected-url' }
+js -f objects.js -f <malicious.js> > decoded.js
+```
+
+#recipe #js-beautify #spidermonkey
@@ -0,0 +1,19 @@
+# Clean Null Bytes from UTF-16 JavaScript
+> Remove null byte padding from UTF-16 encoded JavaScript before analysis
+
+**Tools:** [[tools/spidermonkey|spidermonkey]]
+**FOR610 Lab:** 4.5
+
+## Commands
+```bash
+# Check for null bytes (look for 00 in hex)
+xxd <script.js> | head -2
+# Remove null bytes
+cat <script.js> | tr -d '\00' > clean.js
+# Then deobfuscate
+js -f /usr/share/remnux/objects.js -f clean.js > decoded.js
+# Beautify the result
+js-beautify decoded.js > final.js
+```
+
+#recipe #spidermonkey
@@ -0,0 +1,15 @@
+# Decode Base64 + Gzip Payload
+> Handle double-encoded payloads: Base64 wrapping gzip-compressed content
+
+**Tools:** [[tools/base64dump-py|base64dump-py]], [[tools/gunzip|gunzip]]
+**FOR610 Lab:** 3.4
+
+## Commands
+```bash
+# Find Base64 strings in the script
+base64dump.py <script.ps1> -n 10
+# Decode Base64 and decompress gzip in one chain
+base64dump.py <script.ps1> -s <selection> -d | gunzip > decoded.ps1
+```
+
+#recipe #base64dump-py #gunzip
@@ -0,0 +1,22 @@
+# Full Office Macro Decode Chain
+> Complete pipeline: Office doc → VBA → Base64 → gunzip → XOR → shellcode
+
+**Tools:** [[tools/oledump-py|oledump-py]], [[tools/base64dump-py|base64dump-py]], [[tools/gunzip|gunzip]], [[tools/translate-py|translate-py]], [[tools/scdbgc|scdbgc]]
+**FOR610 Lab:** 3.4
+
+## Commands
+```bash
+# Step 1: List streams and extract VBA
+oledump.py <document>
+oledump.py <document> -s <macro_stream> -v
+# Step 2: Extract Base64 from data stream
+oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > stage1.ps1
+# Step 3: Decode second Base64 layer + decompress
+base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1
+# Step 4: XOR decode the shellcode
+base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin
+# Step 5: Emulate the shellcode
+scdbgc /f shellcode.bin /s -1
+```
+
+#recipe #oledump-py #base64dump-py #gunzip #translate-py #scdbgc
@@ -0,0 +1,12 @@
+# Decrypt Password-Protected Office Document
+> Remove password protection before analysis
+
+**Tools:** [[tools/msoffcrypto-tool|msoffcrypto-tool]]
+
+## Commands
+```bash
+# Common malware passwords: infected, malware, password, 123456
+msoffcrypto-tool -p infected <encrypted.docx> <decrypted.docx>
+```
+
+#recipe #msoffcrypto-tool
@@ -0,0 +1,16 @@
+# Extract Files from Network Capture
+> Carve downloaded payloads and exfiltrated data from PCAP
+
+**Tools:** [[tools/tcpxtract|tcpxtract]], [[tools/tcpflow|tcpflow]], [[tools/networkminer|networkminer]]
+
+## Commands
+```bash
+# Carve files using signatures
+tcpxtract -f <capture.pcap> -o carved/
+# Extract individual TCP streams
+tcpflow -r <capture.pcap> -o streams/
+# Or use NetworkMiner for automated extraction
+NetworkMiner --pcap <capture.pcap>
+```
+
+#recipe #tcpxtract #tcpflow #networkminer
@@ -0,0 +1,16 @@
+# Extract JavaScript from PDF
+> Find and extract embedded JavaScript from a PDF file
+
+**Tools:** [[tools/pdfid-py|pdfid-py]], [[tools/pdf-parser-py|pdf-parser-py]], [[tools/peepdf|peepdf]]
+
+## Commands
+```bash
+# Check if PDF contains JavaScript
+pdfid.py <document.pdf>
+# Find objects with JavaScript
+pdf-parser.py <document.pdf> -s /JavaScript
+# Interactive analysis with peepdf
+peepdf -i <document.pdf>
+```
+
+#recipe #pdfid-py #pdf-parser-py #peepdf
@@ -0,0 +1,21 @@
+# Extract Embedded Object from PDF
+> Pull out an embedded image, JavaScript, or file from a PDF object
+
+**Tools:** [[tools/pdfid-py|pdfid-py]], [[tools/pdf-parser-py|pdf-parser-py]], [[tools/feh|feh]]
+**FOR610 Lab:** 3.1
+
+## Commands
+```bash
+# Scan for suspicious keywords
+pdfid.py <document.pdf>
+# Find objects containing the keyword
+pdf-parser.py <document.pdf> -s /URI
+# Extract all values for that keyword
+pdf-parser.py <document.pdf> -k /URI
+# Dump a specific object to file
+pdf-parser.py <document.pdf> -o <obj_id> -d extracted_object
+# View extracted image
+feh extracted_object &
+```
+
+#recipe #pdfid-py #pdf-parser-py #feh
@@ -0,0 +1,19 @@
+# Extract Shellcode from RTF Document
+> Find and extract embedded shellcode from a malicious RTF file
+
+**Tools:** [[tools/rtfdump-py|rtfdump-py]], [[tools/xorsearch|xorsearch]], [[tools/scdbgc|scdbgc]]
+**FOR610 Lab:** 3.5
+
+## Commands
+```bash
+# Scan RTF structure — look for groups with lots of hex data
+rtfdump.py <document.rtf>
+# Extract the hex-heavy group as binary
+rtfdump.py <document.rtf> -s <group_num> -H -d > extracted.bin
+# Scan for shellcode patterns (even XOR-encoded)
+XORSearch -W -d 3 extracted.bin
+# Emulate shellcode at found offset
+scdbgc /f extracted.bin /foff <offset> /s -1
+```
+
+#recipe #rtfdump-py #xorsearch #scdbgc
@@ -0,0 +1,17 @@
+# Emulate Shellcode at Specific Offset
+> Run shellcode that starts at an offset within a larger binary
+
+**Tools:** [[tools/scdbgc|scdbgc]]
+**FOR610 Lab:** 3.5, 4.6
+
+## Commands
+```bash
+# Emulate from file start
+scdbgc /f <shellcode.bin> /s -1
+# Emulate from specific offset (hex)
+scdbgc /f <shellcode.bin> /foff <hex_offset> /s -1
+# Emulate with a file handle pre-opened (for exploits)
+scdbgc /f <shellcode.bin> /foff <offset> /fopen <carrier.doc> /s -1
+```
+
+#recipe #scdbgc
@@ -0,0 +1,12 @@
+# Convert Shellcode to Executable
+> Wrap raw shellcode in a PE for analysis in disassemblers
+
+**Tools:** [[tools/shcode2exe|shcode2exe]]
+
+## Commands
+```bash
+# Convert 32-bit shellcode to EXE
+shcode2exe <shellcode.bin> <output.exe>
+```
+
+#recipe #shcode2exe
@@ -0,0 +1,17 @@
+# Emulate Malware and Extract API Calls
+> Emulate a Windows binary on Linux and analyze its API usage
+
+**Tools:** [[tools/speakeasy|speakeasy]], [[tools/jq|jq]]
+**FOR610 Lab:** 1.4
+
+## Commands
+```bash
+# Emulate and capture both JSON report and text log
+speakeasy -t <sample> -o report.json 2> report.txt
+# Extract all API names called
+jq '.entry_points[].apis[].api_name' report.json
+# Extract unique API names
+jq -r '.entry_points[].apis[].api_name' report.json | sort -u
+```
+
+#recipe #speakeasy #jq
@@ -0,0 +1,17 @@
+# Extract Stack-Built Strings
+> Decode strings assembled byte-by-byte on the stack
+
+**Tools:** [[tools/strdeob-pl|strdeob-pl]], [[tools/floss|floss]]
+**FOR610 Lab:** 5.2
+
+## Commands
+```bash
+# Automatic stack string recovery
+strdeob.pl <sample>
+# FLOSS automatic deobfuscation (static + stack + decoded)
+floss <sample>
+# FLOSS skip static strings, only show decoded
+floss --no-static -- <sample>
+```
+
+#recipe #strdeob-pl #floss
@@ -0,0 +1,15 @@
+# Decode VBA Number Arrays to Strings
+> Convert VBA macros that use Chr() number sequences into readable text
+
+**Tools:** [[tools/oledump-py|oledump-py]], [[tools/numbers-to-string-py|numbers-to-string-py]]
+**FOR610 Lab:** 3.3
+
+## Commands
+```bash
+# Extract VBA and convert number sequences to text
+oledump.py <document> -s <stream> -v | numbers-to-string.py -j
+# Same but with line-break formatting for readability
+oledump.py <document> -s <stream> -v | numbers-to-string.py -j | sed 's/;/;\n/g'
+```
+
+#recipe #oledump-py #numbers-to-string-py
@@ -0,0 +1,14 @@
+# Recover VBA from p-code (source removed)
+> Decompile VBA when source code has been stripped, only p-code remains
+
+**Tools:** [[tools/pcode2code|pcode2code]], [[tools/pcodedmp|pcodedmp]]
+
+## Commands
+```bash
+# Decompile p-code back to VBA source
+pcode2code <document.docm>
+# Or disassemble p-code to assembly
+pcodedmp <document.docm>
+```
+
+#recipe #pcode2code #pcodedmp
@@ -0,0 +1,18 @@
+# Quick Memory Dump Triage
+> Fast initial assessment of a memory dump
+
+**Tools:** [[tools/volatility3|volatility3]]
+
+## Commands
+```bash
+# Identify OS
+vol3 -f <dump> windows.info
+# Process tree (spot anomalies)
+vol3 -f <dump> windows.pstree
+# Network connections
+vol3 -f <dump> windows.netscan
+# Injected code detection
+vol3 -f <dump> windows.malfind
+```
+
+#recipe #volatility3
@@ -0,0 +1,21 @@
+# Brute-Force XOR Key
+> Find the XOR key used to encode strings in a binary
+
+**Tools:** [[tools/brxor-py|brxor-py]], [[tools/bbcrack|bbcrack]], [[tools/xorsearch|xorsearch]], [[tools/xortool|xortool]]
+**FOR610 Lab:** 5.2
+
+## Commands
+```bash
+# Quick check for XOR-encoded URLs/PE headers
+XORSearch <file> http:
+# Brute-force single-byte XOR keys
+brxor.py <file>
+# Try XOR, ROL, ADD combinations
+bbcrack -l 1 <file>
+# Guess multi-byte XOR key length and value
+xortool <file>
+# Decode with known key
+xortool-xor -s '<key>' -i <encoded> -o <decoded>
+```
+
+#recipe #brxor-py #bbcrack #xorsearch #xortool