Add FOR610 tool/workflow knowledge base and data pipeline
Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tobias
@@ -0,0 +1,83 @@
|
||||
============================================================
|
||||
Code Injection Analysis
|
||||
============================================================
|
||||
|
||||
Identify and analyze process injection techniques including DLL injection, process hollowing, and reflective loading.
|
||||
|
||||
Related FOR610 Labs: 4.9, 5.4
|
||||
|
||||
────────────────────────────────────────────────────────────
|
||||
|
||||
Step 1: Capability Detection
|
||||
Tools: capa
|
||||
Run capa to identify injection techniques. Look for:
|
||||
'inject code', 'create suspended process', 'allocate
|
||||
RWX memory'. Note MITRE ATT&CK technique IDs.
|
||||
|
||||
$ capa specimen.exe
|
||||
|
||||
Step 2: Injection Type Classification
|
||||
Tools: ghidra, cutter
|
||||
Identify which technique: Classic DLL injection
|
||||
(LoadLibrary), Process Hollowing (CreateProcess
|
||||
SUSPENDED + NtUnmapViewOfSection), Reflective DLL
|
||||
(manual PE loading), APC injection (QueueUserAPC).
|
||||
|
||||
$ ghidra
|
||||
$ cutter specimen.exe
|
||||
|
||||
Step 3: Target Process Analysis
|
||||
Tools: ghidra
|
||||
How does malware choose its target? Look for:
|
||||
CreateToolhelp32Snapshot + Process32First/Next
|
||||
(enumeration), hardcoded process names (svchost.exe,
|
||||
explorer.exe), OpenProcess calls.
|
||||
|
||||
$ ghidra
|
||||
|
||||
Step 4: Payload Identification
|
||||
Tools: ghidra
|
||||
What gets injected? Trace data flow to
|
||||
WriteProcessMemory or NtWriteVirtualMemory. Is it:
|
||||
embedded PE, shellcode, encrypted blob? Check size and
|
||||
content.
|
||||
|
||||
$ ghidra
|
||||
|
||||
Step 5: Memory Allocation Analysis
|
||||
Tools: ghidra
|
||||
Examine VirtualAllocEx parameters: size (hints at
|
||||
payload type), protection flags
|
||||
(PAGE_EXECUTE_READWRITE = 0x40 = suspicious).
|
||||
Allocation address for base relocation.
|
||||
|
||||
$ ghidra
|
||||
|
||||
Step 6: Injection Verification [W]
|
||||
Tools: x32dbg, x64dbg
|
||||
Set breakpoint on WriteProcessMemory. When hit:
|
||||
examine lpBuffer (injected data), nSize (payload
|
||||
size). Dump the buffer to file for separate analysis.
|
||||
|
||||
$ x32dbg.exe specimen.exe
|
||||
$ x64dbg.exe specimen.exe
|
||||
|
||||
Step 7: Extracted Payload Analysis
|
||||
Tools: peframe, capa, strings
|
||||
Analyze the injected payload as standalone file. Route
|
||||
to: Static Analysis Workflow (if PE), Shellcode
|
||||
Workflow (if shellcode), .NET Workflow (if .NET
|
||||
assembly).
|
||||
|
||||
$ peframe specimen.exe
|
||||
$ capa specimen.exe
|
||||
$ strings binary.exe
|
||||
|
||||
Step 8: Document Technique
|
||||
Record: injection technique, target process criteria,
|
||||
payload type and hash, API call sequence, memory
|
||||
protection flags. Map to MITRE ATT&CK (T1055.x).
|
||||
|
||||
────────────────────────────────────────────────────────────
|
||||
Tip: 'fhelp cheat <tool>' for full examples
|
||||
'Ctrl+G' for interactive cheatsheet browser
|
||||
Reference in New Issue
Block a user