#!/bin/bash # Create enhanced cheat sheets by combining existing ones with file analysis examples # This leverages existing resources and adds specific malware/PDF analysis use cases set -e CHEAT_DIR="/opt/cheatsheets" NAVI_DIR="/opt/navi-cheats" TLDR_CACHE="/root/.local/share/tldr" echo "📚 Creating enhanced cheat sheet collection..." # Create directories mkdir -p "$CHEAT_DIR" "$NAVI_DIR" "$TLDR_CACHE" # Function to download and enhance existing cheat sheets download_and_enhance() { local tool="$1" local base_url="https://raw.githubusercontent.com/cheat/cheatsheets/master" local output_file="$CHEAT_DIR/$tool.cheat" echo "Processing $tool..." # Try to download existing cheat sheet if curl -s "$base_url/$tool" -o "/tmp/${tool}_base.cheat" && [ -s "/tmp/${tool}_base.cheat" ]; then echo "✓ Found existing cheat sheet for $tool" cp "/tmp/${tool}_base.cheat" "$output_file" else echo "⚠ No existing cheat sheet for $tool, creating from scratch" echo "# $tool" > "$output_file" echo "" >> "$output_file" fi } # Download base cheat sheets for key tools and fix directory structure TOOLS=("pdftk" "7z" "tar" "unzip" "exiftool") # Create proper cheat directory structure (cheat expects files without extensions in subdirs) mkdir -p "$CHEAT_DIR/personal" for tool in "${TOOLS[@]}"; do download_and_enhance "$tool" # Copy to proper cheat structure (without .cheat extension) if [[ -f "$CHEAT_DIR/${tool}.cheat" ]]; then cp "$CHEAT_DIR/${tool}.cheat" "$CHEAT_DIR/personal/${tool}" fi done # Enhance pdftk with file analysis specific examples cat >> "$CHEAT_DIR/pdftk.cheat" << 'EOF' # === FILE ANALYSIS ENHANCEMENTS === # Flatten PDF to prevent JavaScript execution (SECURITY) pdftk suspicious.pdf output safe.pdf flatten # Remove form fields and JavaScript (SECURITY) pdftk malicious.pdf output cleaned.pdf flatten dont_ask # Extract pages for isolated analysis pdftk document.pdf cat 1-3 output first_pages.pdf # Combine with metadata removal workflow pdftk input.pdf output temp.pdf flatten exiftool -all= temp.pdf mv temp.pdf_original analysis_ready.pdf # Decompress PDF streams for analysis pdftk compressed.pdf output uncompressed.pdf uncompress EOF # Create comprehensive PDF analysis cheat sheet (doesn't exist in standard repos) cat > "$CHEAT_DIR/pdf-analysis.cheat" << 'EOF' --- tags: [ pdf, malware, analysis, security ] --- # PDF Analysis Workflow # Quick PDF overview and suspicious element detection pdfid.py document.pdf # Detailed PDF structure analysis pdf-parser.py document.pdf # Interactive analysis with JavaScript detection peepdf -i document.pdf # Extract metadata exiftool document.pdf # Remove passwords for analysis qpdf --password=PASSWORD --decrypt encrypted.pdf decrypted.pdf # Flatten PDF to remove interactive elements (SECURITY) pdftk suspicious.pdf output safe.pdf flatten # Extract embedded files pdf-parser.py --extract document.pdf # Convert PDF to images for safe viewing convert document.pdf[0-2] page-%02d.png # OCR text from PDF images convert document.pdf page.png && tesseract page.png output # Check for embedded JavaScript peepdf -s extract_js document.pdf # Analyze PDF with Origami (if available) ruby -e "require 'origami'; pdf = Origami::PDF.read('document.pdf'); puts pdf.each_object.select{|o| o.is_a? Origami::Stream}.count" # Extract strings from PDF strings document.pdf | grep -i "javascript\|openaction\|aa\|js" # Hexdump analysis of PDF structure hexdump -C document.pdf | head -50 EOF # Create malware analysis workflow cheat sheet cat > "$CHEAT_DIR/malware-analysis.cheat" << 'EOF' --- tags: [ malware, analysis, security, forensics ] --- # Malware Analysis Workflow # File type identification file suspicious.exe # Extract readable strings strings -n 8 malware.bin # Detect capabilities with CAPA capa malware.exe # Analyze JavaScript in sandbox box-js --output-dir=/tmp/js_analysis suspicious.js # Office document analysis oledump.py document.doc # RTF document analysis rtfdump.py document.rtf # Email analysis emldump.py message.eml # Extract base64 content base64dump.py document.txt # Binary analysis and extraction binwalk malware.bin # File carving foremost -t exe,dll,pdf -i disk.img # Hex analysis xxd malware.exe | head -20 # Extract metadata from any file exiftool malware.exe # Archive analysis 7z l suspicious.zip unzip -l suspicious.zip # Network capture analysis (if pcap available) tshark -r capture.pcap -Y "http.request.uri contains .exe" EOF # Create NAVI cheat sheets (interactive format) cat > "$NAVI_DIR/pdf-analysis.cheat" << 'EOF' % pdf analysis # Quick PDF info and suspicious elements pdfid.py # Detailed PDF structure analysis pdf-parser.py # Interactive PDF analysis peepdf -i # Flatten PDF for security (remove JavaScript/forms) pdftk output flatten # Decrypt password-protected PDF qpdf --password= --decrypt # Extract PDF metadata exiftool # Convert PDF pages to images convert [] # Extract strings with JavaScript keywords strings | grep -i "javascript\|openaction\|aa\|js" $ pdf_file: find . -name "*.pdf" -type f $ input_pdf: find . -name "*.pdf" -type f $ encrypted_pdf: find . -name "*.pdf" -type f $ page_range: echo "0-2" $ output_pattern: echo "page-%02d.png" $ password: echo "password123" $ output_pdf: echo "output.pdf" EOF cat > "$NAVI_DIR/malware-analysis.cheat" << 'EOF' % malware analysis # Identify file type file # Extract printable strings strings -n # Detect malware capabilities capa # Analyze JavaScript in sandbox box-js --output-dir= # Analyze Office documents oledump.py # Analyze RTF documents rtfdump.py # Extract and analyze base64 content base64dump.py # Binary analysis and file extraction binwalk # File carving from disk image foremost -t -i # Hex dump analysis xxd | head - $ suspicious_file: find . -type f ! -name "*.txt" ! -name "*.md" $ binary_file: find . -type f \( -name "*.exe" -o -name "*.dll" -o -name "*.bin" \) $ executable_file: find . -type f \( -name "*.exe" -o -name "*.dll" \) $ js_file: find . -name "*.js" -type f $ office_file: find . -type f \( -name "*.doc" -o -name "*.xls" -o -name "*.ppt" \) $ rtf_file: find . -name "*.rtf" -type f $ file_with_base64: find . -name "*.txt" -o -name "*.log" -type f $ disk_image: find . -name "*.img" -o -name "*.dd" -type f $ min_length: echo "8" $ output_dir: echo "/tmp/analysis" $ file_types: echo "exe,dll,pdf,jpg" $ num_lines: echo "20" EOF # Create custom tldr pages for tools missing from standard tldr mkdir -p "$TLDR_CACHE/pages/common" cat > "$TLDR_CACHE/pages/common/pdfid.py.md" << 'EOF' # pdfid.py > Analyze PDF files and identify potentially suspicious elements. > Part of Didier Stevens' PDF analysis toolkit. > More information: . - Analyze a PDF file for suspicious elements: `pdfid.py {{path/to/document.pdf}}` - Show detailed analysis including object counts: `pdfid.py {{[-v|--verbose]}} {{path/to/document.pdf}}` - Analyze all PDF files in a directory: `pdfid.py {{path/to/directory/*.pdf}}` - Output results in CSV format: `pdfid.py {{[-c|--csv]}} {{path/to/document.pdf}}` - Scan for specific keywords in PDF: `pdfid.py {{[-k|--keyword]}} {{javascript}} {{path/to/document.pdf}}` EOF cat > "$TLDR_CACHE/pages/common/pdf-parser.py.md" << 'EOF' # pdf-parser.py > Parse and analyze PDF file structure, extract objects and streams. > Part of Didier Stevens' PDF analysis toolkit. > More information: . - Parse PDF structure and show all objects: `pdf-parser.py {{path/to/document.pdf}}` - Extract a specific object by number: `pdf-parser.py {{[-o|--object]}} {{object_number}} {{path/to/document.pdf}}` - Search for objects containing specific text: `pdf-parser.py {{[-s|--search]}} {{javascript}} {{path/to/document.pdf}}` - Extract and decode streams: `pdf-parser.py {{[-f|--filter]}} {{path/to/document.pdf}}` - Dump raw object content: `pdf-parser.py {{[-d|--dump]}} {{[-o|--object]}} {{object_number}} {{path/to/document.pdf}}` - Generate statistics about PDF structure: `pdf-parser.py {{[-a|--stats]}} {{path/to/document.pdf}}` EOF cat > "$TLDR_CACHE/pages/common/peepdf.md" << 'EOF' # peepdf > Interactive PDF analysis framework with JavaScript analysis capabilities. > More information: . - Analyze PDF file interactively: `peepdf {{[-i|--interactive]}} {{path/to/document.pdf}}` - Analyze PDF and automatically extract suspicious elements: `peepdf {{[-f|--force-mode]}} {{path/to/document.pdf}}` - Load PDF and execute peepdf script: `peepdf {{[-s|--script]}} {{script.txt}} {{path/to/document.pdf}}` - Analyze PDF with specific password: `peepdf {{[-p|--password]}} {{password}} {{path/to/document.pdf}}` - Generate XML report: `peepdf {{[-x|--xml]}} {{path/to/document.pdf}}` - Update malicious URL database: `peepdf {{[-u|--update]}}` EOF cat > "$TLDR_CACHE/pages/common/capa.md" << 'EOF' # capa > Detect malware capabilities using the MITRE ATT&CK framework. > Analyzes executables and maps them to threat behaviors. > More information: . - Analyze an executable for capabilities: `capa {{path/to/malware.exe}}` - Show verbose analysis with detailed explanations: `capa {{[-v|--verbose]}} {{path/to/malware.exe}}` - Output results in JSON format: `capa {{[-j|--json]}} {{path/to/malware.exe}}` - Analyze with custom rules directory: `capa {{[-r|--rules]}} {{path/to/rules}} {{path/to/malware.exe}}` - Show only capabilities above certain confidence: `capa {{[-t|--tag]}} {{communication}} {{path/to/malware.exe}}` - Analyze shellcode instead of PE file: `capa {{[-f|--format]}} {{shellcode}} {{path/to/shellcode.bin}}` EOF # Configure cheat to use our cheat sheets directory (for remnux user) mkdir -p /home/remnux/.config/cheat cat > /home/remnux/.config/cheat/conf.yml << 'EOF' --- cheatpaths: - name: personal path: /opt/cheatsheets/personal tags: [personal] readonly: false EOF chown -R remnux:remnux /home/remnux/.config/ # Fix navi configuration to prevent fzf preview errors (for remnux user) mkdir -p /home/remnux/.config/navi cat > /home/remnux/.config/navi/config.yaml << 'EOF' cheats: paths: - /opt/navi-cheats - /opt/cheatsheets finder: command: fzf preview_window: right:50% shell: command: bash EOF chown -R remnux:remnux /home/remnux/.config/ # Copy custom cheat sheets to proper cheat structure cp "$CHEAT_DIR/pdf-analysis.cheat" "$CHEAT_DIR/personal/pdf-analysis" 2>/dev/null || true cp "$CHEAT_DIR/malware-analysis.cheat" "$CHEAT_DIR/personal/malware-analysis" 2>/dev/null || true echo "✅ Enhanced cheat sheet collection created!" echo "" echo "📊 Summary:" echo " 📁 Cheat sheets: $CHEAT_DIR" echo " 🎯 Navi cheats: $NAVI_DIR" echo " 📚 TLDR cache: $TLDR_CACHE" echo "" echo "Available cheat sheets:" ls -1 "$CHEAT_DIR/personal/" 2>/dev/null | sed 's/^/ • /' || echo " • (checking directory structure...)" echo "" echo "Usage examples:" echo " cheat pdftk # Show pdftk cheat sheet" echo " navi # Interactive cheat browser" echo " tldr pdfid.py # Quick examples for pdfid.py" echo " fhelp cheat pdf # File analysis PDF workflow"