Add FOR610 tool/workflow knowledge base and data pipeline

Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00
parent 06ebb09ab0
commit f3ccc09c3d
663 changed files with 36339 additions and 1 deletions
@@ -0,0 +1,49 @@
+# scdbgc
+# Shellcode emulator — analyze shellcode behavior through API-level emulation
+# FOR610 Labs: 3.4, 3.5, 4.6 | Sections: 3, 4
+# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode
+
+% shellcode, emulation, api-calls
+
+# Basic usage
+scdbgc /f shellcode.bin /s -1
+
+# Alternative usage
+scdbgc /f shellcode.bin /foff 0x3B /fopen qa.doc
+
+# Alternative usage
+scdbgc /f shellcode.bin /s -1 /norw
+
+
+# --- Recipes (multi-tool chains) ---
+
+# >> Full Office Macro Decode Chain
+# Step 1: List streams and extract VBA
+oledump.py <document>
+oledump.py <document> -s <macro_stream> -v
+# Step 2: Extract Base64 from data stream
+oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > stage1.ps1
+# Step 3: Decode second Base64 layer + decompress
+base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1
+# Step 4: XOR decode the shellcode
+base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin
+# Step 5: Emulate the shellcode
+scdbgc /f shellcode.bin /s -1
+
+# >> Extract Shellcode from RTF Document
+# Scan RTF structure — look for groups with lots of hex data
+rtfdump.py <document.rtf>
+# Extract the hex-heavy group as binary
+rtfdump.py <document.rtf> -s <group_num> -H -d > extracted.bin
+# Scan for shellcode patterns (even XOR-encoded)
+XORSearch -W -d 3 extracted.bin
+# Emulate shellcode at found offset
+scdbgc /f extracted.bin /foff <offset> /s -1
+
+# >> Emulate Shellcode at Specific Offset
+# Emulate from file start
+scdbgc /f <shellcode.bin> /s -1
+# Emulate from specific offset (hex)
+scdbgc /f <shellcode.bin> /foff <hex_offset> /s -1
+# Emulate with a file handle pre-opened (for exploits)
+scdbgc /f <shellcode.bin> /foff <offset> /fopen <carrier.doc> /s -1