irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
0a008354932a91d9f02f14bf54b5fbad9f3b6375
docker_file_analysis/data/generated/wiki/recipes/rtf-shellcode-extraction.md
T
tobias e62a14dafc Add markdown wiki with 473 pages and zk browser 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 19:50:36 +01:00

641 B
Raw Blame History

Extract Shellcode from RTF Document

Find and extract embedded shellcode from a malicious RTF file

Tools: tools/rtfdump-py, tools/xorsearch, tools/scdbgc FOR610 Lab: 3.5

Commands

# Scan RTF structure — look for groups with lots of hex data
rtfdump.py <document.rtf>
# Extract the hex-heavy group as binary
rtfdump.py <document.rtf> -s <group_num> -H -d > extracted.bin
# Scan for shellcode patterns (even XOR-encoded)
XORSearch -W -d 3 extracted.bin
# Emulate shellcode at found offset
scdbgc /f extracted.bin /foff <offset> /s -1

#recipe #rtfdump-py #xorsearch #scdbgc

Reference in New Issue View Git Blame Copy Permalink