irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
master
docker_file_analysis/data/generated/wiki/workflows/shellcode-analysis-workflow.md
T
tobias e62a14dafc Add markdown wiki with 473 pages and zk browser 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 19:50:36 +01:00

2.4 KiB
Raw Permalink Blame History

Shellcode Analysis

Analyze extracted shellcode from documents, exploits, or injected processes. Covers detection, emulation, and payload identification.

FOR610 Labs: 3.4, 3.5, 4.6, 4.7

Steps

Step 1: Shellcode Detection

Tools: tools/xorsearch, tools/yara, tools/capa

Scan carrier file for shellcode patterns. XORSearch -W -d 3 detects common shellcode signatures even when XOR-encoded. YARA rules catch known frameworks.

XORSearch -W -d 3 file.bin
yara-rules specimen.bin
capa specimen.exe

Step 2: Extraction

Tools: tools/rtfdump-py, tools/oledump-py, tools/pdf-parser-py

Extract shellcode from carrier. For RTF: rtfdump.py -s -H -d > sc.bin. For OLE: oledump.py -s -d > sc.bin. For PDF: pdf-parser.py -o -d sc.bin.

rtfdump.py document.rtf
oledump.py document.docm
pdf-parser.py document.pdf -a

Step 3: Emulation

Tools: tools/scdbgc, tools/speakeasy

Emulate without execution. scdbgc /f sc.bin /s -1 shows API calls. speakeasy -t sc.bin -r -a x86 for deeper emulation. Look for: URL downloads, file writes, process creation.

scdbgc /f shellcode.bin /s -1
speakeasy -t specimen.exe -o report.json 2> report.txt

Step 4: Framework Identification

Tools: tools/yara, tools/1768-py

Check for known frameworks. 1768.py identifies Cobalt Strike beacons. YARA rules detect Metasploit, Cobalt Strike, custom frameworks. Document beacon config if found.

yara-rules specimen.bin
1768.py shellcode.bin

Step 5: Conversion to EXE

Tools: tools/shcode2exe

Convert shellcode to executable for static analysis: shcode2exe sc.bin sc.exe. Then analyze with peframe, strings, ghidra.

shcode2exe <shellcode.bin> <output.exe>

Step 6: String & IOC Extraction

Tools: tools/strings, tools/floss, tools/cyberchef

Extract strings from shellcode. Look for: C2 URLs, download paths, filename markers, encryption keys. Use CyberChef for encoded content.

strings binary.exe
floss specimen.exe
cyberchef

Step 7: Document Findings

Record: shellcode offset in carrier, size, encoding/XOR key, framework (Metasploit/CS/custom), C2 address, downloaded payload URL, technique (staged/stageless).

#shellcode #emulation #cobalt-strike #metasploit #scdbg #workflow

Reference in New Issue View Git Blame Copy Permalink