# Manual enrichments for tools not covered by FOR610
# These provide usage examples and descriptions for Priority 1-2 tools
# Merged into tools-master.yaml by build-master-inventory.py

enrichments:

  # === MEMORY FORENSICS ===
  volatility3:
    description: "Memory forensics framework — analyze RAM dumps to find malware, hidden processes, network connections, and injected code"
    typical_usage:
      - "vol3 -f <memory_dump> windows.info"
      - "vol3 -f <memory_dump> windows.pslist"
      - "vol3 -f <memory_dump> windows.pstree"
      - "vol3 -f <memory_dump> windows.netscan"
      - "vol3 -f <memory_dump> windows.malfind"
      - "vol3 -f <memory_dump> windows.dlllist --pid <PID>"
      - "vol3 -f <memory_dump> windows.dumpfiles --pid <PID>"
    tags: [memory, forensics, volatility, incident-response]

  # === NETWORK ===
  fakenet-ng:
    description: "Emulate network services (HTTP, DNS, SMTP, FTP) to intercept and analyze malware traffic dynamically"
    typical_usage:
      - "fakenet"
      - "fakenet -c custom_config.ini"
    tags: [network, emulation, dynamic-analysis, c2]

  mitmproxy:
    description: "Interactive HTTPS proxy for intercepting, inspecting, and modifying encrypted web traffic"
    typical_usage:
      - "mitmproxy"
      - "mitmdump -w capture.flow"
      - "mitmproxy --mode transparent"
    tags: [network, https, proxy, tls, interception]

  polarproxy:
    description: "Transparent TLS proxy that decrypts traffic and saves it as PCAP for analysis in Wireshark"
    typical_usage:
      - "PolarProxy -p 443,80 -w captured.pcap"
    tags: [network, tls, decryption, pcap]

  networkminer:
    description: "Passive network traffic analyzer — extracts files, images, credentials from PCAP captures"
    typical_usage:
      - "NetworkMiner --pcap <capture.pcap>"
    tags: [network, pcap, file-carving, passive]

  ngrep:
    description: "Search network traffic for patterns — like grep for packets"
    typical_usage:
      - "ngrep -I <capture.pcap> 'password'"
      - "ngrep -d eth0 'GET|POST' 'tcp port 80'"
    tags: [network, search, pattern-matching]

  tcpflow:
    description: "Extract and reassemble TCP streams from PCAP files into individual files"
    typical_usage:
      - "tcpflow -r <capture.pcap> -o output/"
    tags: [network, tcp, stream-extraction]

  tcpxtract:
    description: "Carve files from network traffic using file signatures"
    typical_usage:
      - "tcpxtract -f <capture.pcap> -o output/"
    tags: [network, file-carving, pcap]

  # === DYNAMIC ANALYSIS ===
  frida:
    description: "Dynamic instrumentation toolkit — hook and trace running processes, intercept function calls in real time"
    typical_usage:
      - "frida -l hook.js <process_name>"
      - "frida-trace -i 'recv*' <process_name>"
      - "frida-ps -U"
    tags: [dynamic, instrumentation, hooking, tracing]

  qiling:
    description: "Multi-platform binary emulation framework — emulate PE, ELF, shellcode across OS/arch combinations"
    typical_usage:
      - "python3 -c \"from qiling import Qiling; ql = Qiling(['<sample>'], '/path/to/rootfs')\""
    tags: [emulation, multi-platform, binary-analysis]

  vivisect:
    description: "Binary analysis and emulation framework — static analysis with emulation capabilities"
    typical_usage:
      - "vivbin <sample>"
      - "python3 -c \"import vivisect; vw = vivisect.VivWorkspace(); vw.loadFromFile('<sample>')\""
    tags: [emulation, static-analysis, binary-analysis]

  # === ANDROID ===
  androguard:
    description: "Analyze Android APK files — extract permissions, activities, intents, and decompile DEX code"
    typical_usage:
      - "androguard analyze <app.apk>"
      - "androguard decompile -o output/ <app.apk>"
      - "androgui.py <app.apk>"
    tags: [android, apk, permissions, decompilation]

  apktool:
    description: "Decompile and recompile Android APK files — extract resources, smali code, and manifest"
    typical_usage:
      - "apktool d <app.apk> -o output/"
      - "apktool b output/ -o rebuilt.apk"
    tags: [android, apk, decompilation, resources]

  jadx:
    description: "Decompile Android DEX/APK to Java source code with a GUI or command line"
    typical_usage:
      - "jadx <app.apk> -d output/"
      - "jadx-gui <app.apk>"
    tags: [android, dex, java, decompilation]

  # === JAVA ===
  cfr:
    description: "Modern Java decompiler — handles Java 8+ features including lambdas and try-with-resources"
    typical_usage:
      - "cfr <file.jar> --outputdir output/"
      - "cfr <file.class>"
    tags: [java, decompilation, jar]

  jd-gui:
    description: "Visual Java decompiler with GUI — browse and search decompiled JAR/class files"
    typical_usage:
      - "jd-gui <file.jar>"
    tags: [java, decompilation, gui]

  # === PYTHON REVERSING ===
  uncompyle6:
    description: "Decompile Python bytecode (.pyc) back to source — supports Python 1.0 through 3.8"
    typical_usage:
      - "uncompyle6 <file.pyc>"
      - "uncompyle6 -o output/ <file.pyc>"
    tags: [python, decompilation, bytecode]

  pyinstxtractor-ng:
    description: "Extract contents of PyInstaller-generated executables without needing matching Python version"
    typical_usage:
      - "pyinstxtractor-ng <packed_exe>"
    tags: [python, pyinstaller, extraction]

  # === OFFICE ===
  xlmmacrodeobfuscator:
    description: "Deobfuscate Excel 4.0 (XLM) macros — these hide in hidden sheets and are hard to detect"
    typical_usage:
      - "xlmdeobfuscator --file <spreadsheet.xlsm>"
      - "xlmdeobfuscator --file <spreadsheet.xlsm> --no-indent"
    tags: [office, excel, xlm, macro, deobfuscation]

  pcode2code:
    description: "Decompile VBA p-code from Office documents — works even when VBA source is removed"
    typical_usage:
      - "pcode2code <document.docm>"
    tags: [office, vba, p-code, decompilation]

  msoffcrypto-tool:
    description: "Decrypt password-protected Microsoft Office documents (OLE and OOXML)"
    typical_usage:
      - "msoffcrypto-tool -p infected <encrypted.docx> <decrypted.docx>"
      - "msoffcrypto-tool -p password <encrypted.xlsx> <decrypted.xlsx>"
    tags: [office, decryption, password]

  # === DEOBFUSCATION ===
  xortool:
    description: "Analyze XOR-encoded data — guess key length and probable key bytes"
    typical_usage:
      - "xortool <encoded_file>"
      - "xortool-xor -s 'key' -i <input> -o <output>"
    tags: [xor, deobfuscation, key-recovery]

  malchive:
    description: "Multi-purpose malware analysis library — config extraction, deobfuscation, and static analysis"
    typical_usage:
      - "malchive <sample>"
    tags: [malware, config-extraction, deobfuscation]

  dc3-mwcp:
    description: "DC3 Malware Configuration Parser — extract C2 configs from known malware families"
    typical_usage:
      - "mwcp parse <sample>"
      - "mwcp parse -p Emotet <sample>"
    tags: [malware, config-extraction, c2]

  # === SHELLCODE ===
  shcode2exe:
    description: "Convert raw shellcode to a Windows PE executable for analysis in disassemblers"
    typical_usage:
      - "shcode2exe <shellcode.bin> <output.exe>"
    tags: [shellcode, conversion, pe]

  # === COBALT STRIKE ===
  cs-decrypt-metadata-py:
    description: "Decrypt Cobalt Strike beacon metadata from network captures"
    typical_usage:
      - "cs-decrypt-metadata.py <metadata_hex>"
    tags: [cobalt-strike, decryption, metadata]

  cs-extract-key-py:
    description: "Extract AES and HMAC encryption keys from Cobalt Strike beacon process memory dumps"
    typical_usage:
      - "cs-extract-key.py -f <process_dump>"
    tags: [cobalt-strike, encryption, key-extraction]

  cs-parse-traffic-py:
    description: "Decrypt and parse Cobalt Strike beacon network traffic using extracted keys"
    typical_usage:
      - "cs-parse-traffic.py -f <capture.pcap> -k <keys_file>"
    tags: [cobalt-strike, traffic, decryption]

  cs-analyze-processdump-py:
    description: "Analyze Cobalt Strike beacon process dumps for sleep mask encoding"
    typical_usage:
      - "cs-analyze-processdump.py <process_dump>"
    tags: [cobalt-strike, sleep-mask, memory]

  malwoverview:
    description: "Query VirusTotal, Hybrid Analysis, and MalwareBazaar for malware intelligence"
    typical_usage:
      - "malwoverview -v <hash>"
      - "malwoverview -f <sample>"
    tags: [threat-intel, virustotal, malware-bazaar]

  ioc-parser:
    description: "Extract indicators of compromise (IOCs) from PDF reports and text files"
    typical_usage:
      - "ioc_parser <report.pdf>"
    tags: [ioc, extraction, threat-intel]

  # === EMAIL ===
  mail-parser:
    description: "Parse raw SMTP email messages and extract headers, body, and attachments"
    typical_usage:
      - "python3 -c \"import mailparser; mail = mailparser.parse_from_file('<email.eml>'); print(mail.subject)\""
    tags: [email, parsing, attachments]

  msg-extractor:
    description: "Extract emails and attachments from Microsoft Outlook MSG files"
    typical_usage:
      - "extract_msg <email.msg>"
      - "extract_msg --out-dir output/ <email.msg>"
    tags: [email, msg, outlook, attachments]

  # === DATA ANALYSIS ===
  ssdeep:
    description: "Compute fuzzy hashes (CTPH) for finding similar files — useful for malware variant clustering"
    typical_usage:
      - "ssdeep <sample>"
      - "ssdeep -m <known.ssdeep> <sample>"
      - "ssdeep -d <sample1> <sample2>"
    tags: [hashing, fuzzy, similarity, clustering]

  clamav:
    description: "Open-source antivirus — scan files for known malware signatures"
    typical_usage:
      - "clamscan <sample>"
      - "clamscan -r <directory>/"
      - "freshclam"
    tags: [antivirus, scanning, signatures]

  unfurl:
    description: "Deconstruct and decode URLs — reveal tracking parameters, encoded data, and redirect chains"
    typical_usage:
      - "unfurl parse <url>"
    tags: [url, decoding, phishing, tracking]