Add FOR610 tool/workflow knowledge base and data pipeline

Build comprehensive malware analysis knowledge base from 3 sources:
- SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes
- REMnux salt-states: 340 packages parsed from GitHub
- REMnux docs: 280+ tools scraped from docs.remnux.org

Master inventory merges all sources into 447 tools with help tiers
(rich/standard/basic). Pipeline generates: tools.db (397 entries),
397 cheatsheets with multi-tool recipes, 15 workflow guides, 224
TLDR pages, and coverage reports.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

data/generated/workflows/dotnet-analysis-workflow.txt

@@ -0,0 +1,81 @@
+============================================================
+  .NET Malware Analysis
+============================================================
+
+  Analyze .NET malware using decompilation, debugging, and deobfuscation. Works for .NET Framework, .NET Core, and mixed-mode assemblies.
+
+  Related FOR610 Labs: 3.12, 4.8
+
+────────────────────────────────────────────────────────────
+
+  Step 1: Identification & Metadata
+  Tools: peframe, diec, dnfile, dotnetfile
+  Confirm .NET binary (peframe shows 'CLR'). Check
+  runtime version (.NET 2/4/Core). Use dnfile or
+  dotnetfile for .NET-specific metadata. Note entry
+  point and referenced assemblies.
+
+    $ peframe specimen.exe
+    $ diec specimen.exe
+
+  Step 2: Obfuscator Detection
+  Tools: diec, de4dot
+  Detect obfuscator: DIE identifies ConfuserEx, Eziriz
+  .NET Reactor, Babel, etc. de4dot -d <sample> reports
+  detected obfuscator without modifying the file.
+
+    $ diec specimen.exe
+    $ de4dot obfuscated.exe
+
+  Step 3: Decompilation
+  Tools: ilspycmd, monodis
+  Decompile to C# source: ilspycmd <sample> > output.cs.
+  On REMnux use ilspycmd (CLI). Examine: Main() entry,
+  suspicious class/method names, embedded resources.
+
+    $ ilspycmd assembly.exe > decompiled.cs
+
+  Step 4: Dynamic Loading Detection
+  Tools: visual-studio-code
+  Search decompiled code for: Assembly.Load(byte[]),
+  Assembly.LoadFrom(), Activator.CreateInstance(),
+  MethodInfo.Invoke(), CSharpCodeProvider. These
+  indicate runtime code loading.
+
+    $ code filename.js
+
+  Step 5: Deobfuscation
+  Tools: de4dot
+  Run: de4dot <sample> -o <clean>. If de4dot fails: try
+  with --dont-rename flag, or manually rename obfuscated
+  symbols. For ConfuserEx: de4dot handles most variants.
+
+    $ de4dot obfuscated.exe
+
+  Step 6: Dynamic Debugging [W]
+  Tools: dnspyex
+  If static analysis insufficient: load in dnSpyEx, set
+  breakpoint on Assembly.Load or suspicious method. Run
+  and inspect Locals window for decrypted payloads. Save
+  byte[] arrays to disk.
+
+    $ dnSpyEx.exe assembly.exe
+
+  Step 7: Extracted Payload Analysis
+  Tools: ilspycmd, peframe
+  Analyze extracted payload: is it another .NET
+  assembly? (recurse this workflow). Is it a PE file?
+  (route to Static Analysis). Document the unpacking
+  chain.
+
+    $ ilspycmd assembly.exe > decompiled.cs
+    $ peframe specimen.exe
+
+  Step 8: Document Findings
+  Record: obfuscator type, .NET version, loading
+  mechanism, payload hashes, C2 endpoints found in
+  decompiled code, encryption keys/algorithms.
+
+────────────────────────────────────────────────────────────
+  Tip: 'fhelp cheat <tool>' for full examples
+       'Ctrl+G' for interactive cheatsheet browser