Add FOR610 tool/workflow knowledge base and data pipeline

Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00
parent 06ebb09ab0
commit f3ccc09c3d
663 changed files with 36339 additions and 1 deletions
@@ -0,0 +1,78 @@
+============================================================
+  Shellcode Analysis
+============================================================
+
+  Analyze extracted shellcode from documents, exploits, or injected processes. Covers detection, emulation, and payload identification.
+
+  Related FOR610 Labs: 3.4, 3.5, 4.6, 4.7
+
+────────────────────────────────────────────────────────────
+
+  Step 1: Shellcode Detection
+  Tools: xorsearch, yara, capa
+  Scan carrier file for shellcode patterns. XORSearch -W
+  -d 3 <file> detects common shellcode signatures even
+  when XOR-encoded. YARA rules catch known frameworks.
+
+    $ XORSearch -W -d 3 file.bin
+    $ yara-rules specimen.bin
+    $ capa specimen.exe
+
+  Step 2: Extraction
+  Tools: rtfdump-py, oledump-py, pdf-parser-py
+  Extract shellcode from carrier. For RTF: rtfdump.py -s
+  <group> -H -d > sc.bin. For OLE: oledump.py -s
+  <stream> -d > sc.bin. For PDF: pdf-parser.py -o <obj>
+  -d sc.bin.
+
+    $ rtfdump.py document.rtf
+    $ oledump.py document.docm
+    $ pdf-parser.py document.pdf -a
+
+  Step 3: Emulation
+  Tools: scdbgc, speakeasy
+  Emulate without execution. scdbgc /f sc.bin /s -1
+  shows API calls. speakeasy -t sc.bin -r -a x86 for
+  deeper emulation. Look for: URL downloads, file
+  writes, process creation.
+
+    $ scdbgc /f shellcode.bin /s -1
+    $ speakeasy -t specimen.exe -o report.json 2> report.txt
+
+  Step 4: Framework Identification
+  Tools: yara, 1768-py
+  Check for known frameworks. 1768.py identifies Cobalt
+  Strike beacons. YARA rules detect Metasploit, Cobalt
+  Strike, custom frameworks. Document beacon config if
+  found.
+
+    $ yara-rules specimen.bin
+    $ 1768.py shellcode.bin
+
+  Step 5: Conversion to EXE
+  Tools: shcode2exe
+  Convert shellcode to executable for static analysis:
+  shcode2exe sc.bin sc.exe. Then analyze with peframe,
+  strings, ghidra.
+
+    $ shcode2exe <shellcode.bin> <output.exe>
+
+  Step 6: String & IOC Extraction
+  Tools: strings, floss, cyberchef
+  Extract strings from shellcode. Look for: C2 URLs,
+  download paths, filename markers, encryption keys. Use
+  CyberChef for encoded content.
+
+    $ strings binary.exe
+    $ floss specimen.exe
+    $ cyberchef
+
+  Step 7: Document Findings
+  Record: shellcode offset in carrier, size,
+  encoding/XOR key, framework (Metasploit/CS/custom), C2
+  address, downloaded payload URL, technique
+  (staged/stageless).
+
+────────────────────────────────────────────────────────────
+  Tip: 'fhelp cheat <tool>' for full examples
+       'Ctrl+G' for interactive cheatsheet browser