irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
0a008354932a91d9f02f14bf54b5fbad9f3b6375
docker_file_analysis/data/generated/cheatsheets/gunzip.cheat
T
tobias f3ccc09c3d Add FOR610 tool/workflow knowledge base and data pipeline 
Build comprehensive malware analysis knowledge base from 3 sources:
- SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes
- REMnux salt-states: 340 packages parsed from GitHub
- REMnux docs: 280+ tools scraped from docs.remnux.org

Master inventory merges all sources into 447 tools with help tiers
(rich/standard/basic). Pipeline generates: tools.db (397 entries),
397 cheatsheets with multi-tool recipes, 15 workflow guides, 224
TLDR pages, and coverage reports.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00

31 lines
1003 B
Plaintext
Raw Blame History

# gunzip
# Decompress gzip-compressed data (often used in multi-stage payload extraction)
# FOR610 Labs: 3.4 | Sections: 3
% compression, extraction
# Basic usage
gunzip -c compressed.gz > output.bin
# --- Recipes (multi-tool chains) ---
# >> Decode Base64 + Gzip Payload
# Find Base64 strings in the script
base64dump.py <script.ps1> -n 10
# Decode Base64 and decompress gzip in one chain
base64dump.py <script.ps1> -s <selection> -d | gunzip > decoded.ps1
# >> Full Office Macro Decode Chain
# Step 1: List streams and extract VBA
oledump.py <document>
oledump.py <document> -s <macro_stream> -v
# Step 2: Extract Base64 from data stream
oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > stage1.ps1
# Step 3: Decode second Base64 layer + decompress
base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1
# Step 4: XOR decode the shellcode
base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin
# Step 5: Emulate the shellcode
scdbgc /f shellcode.bin /s -1
Reference in New Issue View Git Blame Copy Permalink