tobias
f3ccc09c3d
Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
26 lines
819 B
Plaintext
26 lines
819 B
Plaintext
# rtfdump.py
|
|
# Analyze RTF file structure, identify hex-encoded groups and embedded objects
|
|
# FOR610 Labs: 3.5 | Sections: 3 | Author: Didier Stevens
|
|
# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office
|
|
|
|
% rtf, document, didier-stevens
|
|
|
|
# Basic usage
|
|
rtfdump.py document.rtf
|
|
|
|
# Select specific item
|
|
rtfdump.py document.rtf -s 5 -H -d > extracted.bin
|
|
|
|
|
|
# --- Recipes (multi-tool chains) ---
|
|
|
|
# >> Extract Shellcode from RTF Document
|
|
# Scan RTF structure — look for groups with lots of hex data
|
|
rtfdump.py <document.rtf>
|
|
# Extract the hex-heavy group as binary
|
|
rtfdump.py <document.rtf> -s <group_num> -H -d > extracted.bin
|
|
# Scan for shellcode patterns (even XOR-encoded)
|
|
XORSearch -W -d 3 extracted.bin
|
|
# Emulate shellcode at found offset
|
|
scdbgc /f extracted.bin /foff <offset> /s -1
|