Add FOR610 tool/workflow knowledge base and data pipeline

Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00
parent 06ebb09ab0
commit f3ccc09c3d
663 changed files with 36339 additions and 1 deletions
@@ -0,0 +1,66 @@
+============================================================
+  String & Data Deobfuscation
+============================================================
+
+  Decode obfuscated strings and data in malware. Covers XOR, Base64, stack strings, custom algorithms, and multi-layer encoding.
+
+  Related FOR610 Labs: 1.5, 5.2
+
+────────────────────────────────────────────────────────────
+
+  Step 1: Automated Extraction
+  Tools: floss, strings
+  Start with FLOSS for automatic deobfuscation (static +
+  stack + decoded strings). Compare against plain
+  strings output. FLOSS --no-static for only decoded
+  strings.
+
+    $ floss specimen.exe
+    $ strings binary.exe
+
+  Step 2: Encoding Detection
+  Tools: xorsearch, bbcrack
+  Identify encoding algorithm. XORSearch: detect XOR
+  with known plaintext (http:, MZ, This program).
+  bbcrack: brute-force XOR, ROL, ADD at multiple levels.
+
+    $ XORSearch -W -d 3 file.bin
+    $ bbcrack -l 1 specimen.dll
+
+  Step 3: Single-Byte XOR Recovery
+  Tools: brxor-py, xortool
+  For single-byte XOR: brxor.py <file> finds English
+  words. xortool <file> guesses key length and probable
+  key. xortool-xor -s <key> -i <file> -o decoded.bin to
+  decode.
+
+    $ brxor.py specimen.dll
+    $ xortool <encoded_file>
+
+  Step 4: Multi-Byte / Custom Decoding
+  Tools: translate-py, cyberchef
+  For custom algorithms: translate.py 'byte ^ key' or
+  complex expressions. CyberChef for visual recipe
+  building (XOR → Base64 → Gunzip chains). Document the
+  recipe.
+
+    $ translate.py "byte ^ 35" < input.bin > output.bin
+    $ cyberchef
+
+  Step 5: Stack String Recovery
+  Tools: strdeob-pl, floss
+  For strings built on the stack (MOV byte-by-byte):
+  strdeob.pl <file> or FLOSS stack string detection.
+  Common in evasive malware to avoid string extraction.
+
+    $ strdeob.pl specimen.exe
+    $ floss specimen.exe
+
+  Step 6: Validation & IOC Extraction
+  Review decoded strings. Extract IOCs: C2 addresses,
+  registry keys, file paths, API names, credentials.
+  Compare against known malware family patterns.
+
+────────────────────────────────────────────────────────────
+  Tip: 'fhelp cheat <tool>' for full examples
+       'Ctrl+G' for interactive cheatsheet browser