irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add markdown wiki with 473 pages and zk browser

Browse Source 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tobias
2026-03-28 19:50:36 +01:00
parent b13db23a5e
commit e62a14dafc
478 changed files with 7683 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/generated/wiki/workflows/shellcode-analysis-workflow.md
+74
View File
@@ -0,0 +1,74 @@
# Shellcode Analysis
> Analyze extracted shellcode from documents, exploits, or injected processes. Covers detection, emulation, and payload identification.
**FOR610 Labs:** 3.4, 3.5, 4.6, 4.7
## Steps
### Step 1: Shellcode Detection
**Tools:** [[tools/xorsearch|xorsearch]], [[tools/yara|yara]], [[tools/capa|capa]]
Scan carrier file for shellcode patterns. XORSearch -W -d 3 <file> detects common shellcode signatures even when XOR-encoded. YARA rules catch known frameworks.
```bash
XORSearch -W -d 3 file.bin
yara-rules specimen.bin
capa specimen.exe
```
### Step 2: Extraction
**Tools:** [[tools/rtfdump-py|rtfdump-py]], [[tools/oledump-py|oledump-py]], [[tools/pdf-parser-py|pdf-parser-py]]
Extract shellcode from carrier. For RTF: rtfdump.py -s <group> -H -d > sc.bin. For OLE: oledump.py -s <stream> -d > sc.bin. For PDF: pdf-parser.py -o <obj> -d sc.bin.
```bash
rtfdump.py document.rtf
oledump.py document.docm
pdf-parser.py document.pdf -a
```
### Step 3: Emulation
**Tools:** [[tools/scdbgc|scdbgc]], [[tools/speakeasy|speakeasy]]
Emulate without execution. scdbgc /f sc.bin /s -1 shows API calls. speakeasy -t sc.bin -r -a x86 for deeper emulation. Look for: URL downloads, file writes, process creation.
```bash
scdbgc /f shellcode.bin /s -1
speakeasy -t specimen.exe -o report.json 2> report.txt
```
### Step 4: Framework Identification
**Tools:** [[tools/yara|yara]], [[tools/1768-py|1768-py]]
Check for known frameworks. 1768.py identifies Cobalt Strike beacons. YARA rules detect Metasploit, Cobalt Strike, custom frameworks. Document beacon config if found.
```bash
yara-rules specimen.bin
1768.py shellcode.bin
```
### Step 5: Conversion to EXE
**Tools:** [[tools/shcode2exe|shcode2exe]]
Convert shellcode to executable for static analysis: shcode2exe sc.bin sc.exe. Then analyze with peframe, strings, ghidra.
```bash
shcode2exe <shellcode.bin> <output.exe>
```
### Step 6: String & IOC Extraction
**Tools:** [[tools/strings|strings]], [[tools/floss|floss]], [[tools/cyberchef|cyberchef]]
Extract strings from shellcode. Look for: C2 URLs, download paths, filename markers, encryption keys. Use CyberChef for encoded content.
```bash
strings binary.exe
floss specimen.exe
cyberchef
```
### Step 7: Document Findings
Record: shellcode offset in carrier, size, encoding/XOR key, framework (Metasploit/CS/custom), C2 address, downloaded payload URL, technique (staged/stageless).
#shellcode #emulation #cobalt-strike #metasploit #scdbg #workflow