Add FOR610 tool/workflow knowledge base and data pipeline

Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00
parent 06ebb09ab0
commit f3ccc09c3d
663 changed files with 36339 additions and 1 deletions
@@ -0,0 +1,60 @@
+============================================================
+  Java Malware Analysis
+============================================================
+
+  Analyze malicious Java archives (JAR), applets, and compiled classes. Covers decompilation and code analysis.
+
+────────────────────────────────────────────────────────────
+
+  Step 1: Archive Inspection
+  Tools: unzip, file
+  Extract JAR contents: unzip <file.jar> -d output/.
+  Examine META-INF/MANIFEST.MF for Main-Class entry
+  point. List all .class files.
+
+    $ unzip -P infected sample.zip
+    $ file specimen.exe
+
+  Step 2: Decompilation
+  Tools: cfr, jd-gui
+  Decompile with CFR: cfr <file.jar> --outputdir
+  output/. Or use JD-GUI for visual browsing. CFR
+  handles modern Java (lambdas, try-with-resources)
+  better.
+
+    $ cfr <file.jar> --outputdir output/
+    $ jd-gui <file.jar>
+
+  Step 3: Multi-Decompiler Comparison
+  Tools: cfr, procyon
+  If one decompiler fails on a class: try Procyon.
+  Compare outputs. Some obfuscators break specific
+  decompilers while others handle them fine.
+
+    $ cfr <file.jar> --outputdir output/
+
+  Step 4: Code Analysis
+  Tools: visual-studio-code
+  Review decompiled source. Search for: Runtime.exec()
+  (command execution), URLConnection (network), Cipher
+  (crypto), File I/O operations, reflection
+  (Class.forName).
+
+    $ code filename.js
+
+  Step 5: Resource Extraction
+  Tools: strings
+  Extract embedded resources and strings. Check for:
+  encoded payloads in resources, config files, embedded
+  binaries. Base64-encoded content is common.
+
+    $ strings binary.exe
+
+  Step 6: Document Findings
+  Record: entry point class, malicious methods,
+  URLs/IPs, downloaded payloads, commands executed, Java
+  version requirements.
+
+────────────────────────────────────────────────────────────
+  Tip: 'fhelp cheat <tool>' for full examples
+       'Ctrl+G' for interactive cheatsheet browser