# Shellcode Analysis
> Analyze extracted shellcode from documents, exploits, or injected processes. Covers detection, emulation, and payload identification.

**FOR610 Labs:** 3.4, 3.5, 4.6, 4.7

## Steps

### Step 1: Shellcode Detection
**Tools:** [[tools/xorsearch|xorsearch]], [[tools/yara|yara]], [[tools/capa|capa]]

Scan carrier file for shellcode patterns. XORSearch -W -d 3 <file> detects common shellcode signatures even when XOR-encoded. YARA rules catch known frameworks.

```bash
XORSearch -W -d 3 file.bin
yara-rules specimen.bin
capa specimen.exe
```

### Step 2: Extraction
**Tools:** [[tools/rtfdump-py|rtfdump-py]], [[tools/oledump-py|oledump-py]], [[tools/pdf-parser-py|pdf-parser-py]]

Extract shellcode from carrier. For RTF: rtfdump.py -s <group> -H -d > sc.bin. For OLE: oledump.py -s <stream> -d > sc.bin. For PDF: pdf-parser.py -o <obj> -d sc.bin.

```bash
rtfdump.py document.rtf
oledump.py document.docm
pdf-parser.py document.pdf -a
```

### Step 3: Emulation
**Tools:** [[tools/scdbgc|scdbgc]], [[tools/speakeasy|speakeasy]]

Emulate without execution. scdbgc /f sc.bin /s -1 shows API calls. speakeasy -t sc.bin -r -a x86 for deeper emulation. Look for: URL downloads, file writes, process creation.

```bash
scdbgc /f shellcode.bin /s -1
speakeasy -t specimen.exe -o report.json 2> report.txt
```

### Step 4: Framework Identification
**Tools:** [[tools/yara|yara]], [[tools/1768-py|1768-py]]

Check for known frameworks. 1768.py identifies Cobalt Strike beacons. YARA rules detect Metasploit, Cobalt Strike, custom frameworks. Document beacon config if found.

```bash
yara-rules specimen.bin
1768.py shellcode.bin
```

### Step 5: Conversion to EXE
**Tools:** [[tools/shcode2exe|shcode2exe]]

Convert shellcode to executable for static analysis: shcode2exe sc.bin sc.exe. Then analyze with peframe, strings, ghidra.

```bash
shcode2exe <shellcode.bin> <output.exe>
```

### Step 6: String & IOC Extraction
**Tools:** [[tools/strings|strings]], [[tools/floss|floss]], [[tools/cyberchef|cyberchef]]

Extract strings from shellcode. Look for: C2 URLs, download paths, filename markers, encryption keys. Use CyberChef for encoded content.

```bash
strings binary.exe
floss specimen.exe
cyberchef
```

### Step 7: Document Findings

Record: shellcode offset in carrier, size, encoding/XOR key, framework (Metasploit/CS/custom), C2 address, downloaded payload URL, technique (staged/stageless).

#shellcode #emulation #cobalt-strike #metasploit #scdbg #workflow