irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add markdown wiki with 473 pages and zk browser

Browse Source 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tobias
2026-03-28 19:50:36 +01:00
parent b13db23a5e
commit e62a14dafc
478 changed files with 7683 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/generated/wiki/workflows/code-injection-workflow.md
+74
View File
@@ -0,0 +1,74 @@
# Code Injection Analysis
> Identify and analyze process injection techniques including DLL injection, process hollowing, and reflective loading.
**FOR610 Labs:** 4.9, 5.4
## Steps
### Step 1: Capability Detection
**Tools:** [[tools/capa|capa]]
Run capa to identify injection techniques. Look for: 'inject code', 'create suspended process', 'allocate RWX memory'. Note MITRE ATT&CK technique IDs.
```bash
capa specimen.exe
```
### Step 2: Injection Type Classification
**Tools:** [[tools/ghidra|ghidra]], [[tools/cutter|cutter]]
Identify which technique: Classic DLL injection (LoadLibrary), Process Hollowing (CreateProcess SUSPENDED + NtUnmapViewOfSection), Reflective DLL (manual PE loading), APC injection (QueueUserAPC).
```bash
ghidra
cutter specimen.exe
```
### Step 3: Target Process Analysis
**Tools:** [[tools/ghidra|ghidra]]
How does malware choose its target? Look for: CreateToolhelp32Snapshot + Process32First/Next (enumeration), hardcoded process names (svchost.exe, explorer.exe), OpenProcess calls.
```bash
ghidra
```
### Step 4: Payload Identification
**Tools:** [[tools/ghidra|ghidra]]
What gets injected? Trace data flow to WriteProcessMemory or NtWriteVirtualMemory. Is it: embedded PE, shellcode, encrypted blob? Check size and content.
```bash
ghidra
```
### Step 5: Memory Allocation Analysis
**Tools:** [[tools/ghidra|ghidra]]
Examine VirtualAllocEx parameters: size (hints at payload type), protection flags (PAGE_EXECUTE_READWRITE = 0x40 = suspicious). Allocation address for base relocation.
```bash
ghidra
```
### Step 6: Injection Verification [W]
**Tools:** [[tools/x32dbg|x32dbg]], [[tools/x64dbg|x64dbg]]
Set breakpoint on WriteProcessMemory. When hit: examine lpBuffer (injected data), nSize (payload size). Dump the buffer to file for separate analysis.
### Step 7: Extracted Payload Analysis
**Tools:** [[tools/peframe|peframe]], [[tools/capa|capa]], [[tools/strings|strings]]
Analyze the injected payload as standalone file. Route to: Static Analysis Workflow (if PE), Shellcode Workflow (if shellcode), .NET Workflow (if .NET assembly).
```bash
peframe specimen.exe
capa specimen.exe
strings binary.exe
```
### Step 8: Document Technique
Record: injection technique, target process criteria, payload type and hash, API call sequence, memory protection flags. Map to MITRE ATT&CK (T1055.x).
#code-injection #process-hollowing #dll-injection #reflective-loading #workflow