irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
3a8e5d90efaa361e0ef2e1514807313a9c1ab7ef
docker_file_analysis/data/generated/workflows/shellcode-analysis-workflow.txt
T
tobias f3ccc09c3d Add FOR610 tool/workflow knowledge base and data pipeline 
Build comprehensive malware analysis knowledge base from 3 sources:
- SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes
- REMnux salt-states: 340 packages parsed from GitHub
- REMnux docs: 280+ tools scraped from docs.remnux.org

Master inventory merges all sources into 447 tools with help tiers
(rich/standard/basic). Pipeline generates: tools.db (397 entries),
397 cheatsheets with multi-tool recipes, 15 workflow guides, 224
TLDR pages, and coverage reports.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00

79 lines
2.7 KiB
Plaintext
Raw Blame History

============================================================
Shellcode Analysis
============================================================
Analyze extracted shellcode from documents, exploits, or injected processes. Covers detection, emulation, and payload identification.
Related FOR610 Labs: 3.4, 3.5, 4.6, 4.7
────────────────────────────────────────────────────────────
Step 1: Shellcode Detection
Tools: xorsearch, yara, capa
Scan carrier file for shellcode patterns. XORSearch -W
-d 3 <file> detects common shellcode signatures even
when XOR-encoded. YARA rules catch known frameworks.
$ XORSearch -W -d 3 file.bin
$ yara-rules specimen.bin
$ capa specimen.exe
Step 2: Extraction
Tools: rtfdump-py, oledump-py, pdf-parser-py
Extract shellcode from carrier. For RTF: rtfdump.py -s
<group> -H -d > sc.bin. For OLE: oledump.py -s
<stream> -d > sc.bin. For PDF: pdf-parser.py -o <obj>
-d sc.bin.
$ rtfdump.py document.rtf
$ oledump.py document.docm
$ pdf-parser.py document.pdf -a
Step 3: Emulation
Tools: scdbgc, speakeasy
Emulate without execution. scdbgc /f sc.bin /s -1
shows API calls. speakeasy -t sc.bin -r -a x86 for
deeper emulation. Look for: URL downloads, file
writes, process creation.
$ scdbgc /f shellcode.bin /s -1
$ speakeasy -t specimen.exe -o report.json 2> report.txt
Step 4: Framework Identification
Tools: yara, 1768-py
Check for known frameworks. 1768.py identifies Cobalt
Strike beacons. YARA rules detect Metasploit, Cobalt
Strike, custom frameworks. Document beacon config if
found.
$ yara-rules specimen.bin
$ 1768.py shellcode.bin
Step 5: Conversion to EXE
Tools: shcode2exe
Convert shellcode to executable for static analysis:
shcode2exe sc.bin sc.exe. Then analyze with peframe,
strings, ghidra.
$ shcode2exe <shellcode.bin> <output.exe>
Step 6: String & IOC Extraction
Tools: strings, floss, cyberchef
Extract strings from shellcode. Look for: C2 URLs,
download paths, filename markers, encryption keys. Use
CyberChef for encoded content.
$ strings binary.exe
$ floss specimen.exe
$ cyberchef
Step 7: Document Findings
Record: shellcode offset in carrier, size,
encoding/XOR key, framework (Metasploit/CS/custom), C2
address, downloaded payload URL, technique
(staged/stageless).
────────────────────────────────────────────────────────────
Tip: 'fhelp cheat <tool>' for full examples
'Ctrl+G' for interactive cheatsheet browser
Reference in New Issue View Git Blame Copy Permalink