Add FOR610 tool/workflow knowledge base and data pipeline

Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00
parent 06ebb09ab0
commit f3ccc09c3d
663 changed files with 36339 additions and 1 deletions
@@ -0,0 +1,61 @@
+============================================================
+  JavaScript Deobfuscation
+============================================================
+
+  Deobfuscate and analyze malicious JavaScript from web pages, email attachments, or document macros.
+
+  Related FOR610 Labs: 3.6, 3.7
+
+────────────────────────────────────────────────────────────
+
+  Step 1: Beautification
+  Tools: js-beautify
+  Format minified/compressed JavaScript for readability.
+  Look for: eval() calls, document.write(),
+  String.fromCharCode(), unescape(), atob().
+
+    $ js-beautify malicious.js > beautified.js
+
+  Step 2: Static Review
+  Tools: visual-studio-code
+  Identify obfuscation layers. Search for: eval/Function
+  constructor (code execution), long encoded strings,
+  variable name patterns (single chars = likely
+  obfuscated).
+
+    $ code filename.js
+
+  Step 3: Safe Execution (SpiderMonkey)
+  Tools: spidermonkey
+  Execute outside browser with objects.js to simulate
+  browser/WScript APIs. Command: js -f
+  /usr/share/remnux/objects.js -f <script.js>. Captures
+  eval'd code without running it.
+
+    $ js -f malicious.js
+
+  Step 4: Environment Tuning
+  Tools: visual-studio-code
+  If script expects specific environment (location.href,
+  navigator.userAgent): edit objects.js to provide
+  expected values. Re-run SpiderMonkey.
+
+    $ code filename.js
+
+  Step 5: Alternative Analysis
+  Tools: box-js, jstillery
+  box-js: Node.js sandbox with WScript emulation.
+  JStillery: AST-based deobfuscation. Use when
+  SpiderMonkey can't handle the obfuscation.
+
+    $ box-js --output-dir=/tmp suspicious.js
+
+  Step 6: Payload Identification
+  What does the deobfuscated JS do? Common patterns:
+  download & execute (dropper), redirect to exploit kit,
+  credential harvesting. Extract all URLs, IPs, file
+  paths.
+
+────────────────────────────────────────────────────────────
+  Tip: 'fhelp cheat <tool>' for full examples
+       'Ctrl+G' for interactive cheatsheet browser