← Back to Skills Marketplace
gandli

Ctf Malware

by gandli · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
173
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install ctf-malware
Description
Provides malware analysis and network traffic techniques for CTF challenges. Use when analyzing obfuscated scripts, malicious packages, custom crypto protoco...
README (SKILL.md)

CTF Malware & Network Analysis

Quick reference for malware analysis CTF challenges. Each technique has a one-liner here; see supporting files for full details with code.

Prerequisites

Python packages (all platforms):

pip install yara-python pefile capstone oletools unicorn pycryptodome \
  volatility3 dissect.cobaltstrike

Linux (apt):

apt install strace ltrace tshark binwalk binutils

macOS (Homebrew):

brew install wireshark binwalk binutils ghidra

Manual install:

  • dnSpy — GitHub, .NET decompiler (Windows)

Additional Resources

  • scripts-and-obfuscation.md - JavaScript deobfuscation, PowerShell analysis, eval/base64 decoding, junk code detection, hex payloads, Debian package analysis, dynamic analysis techniques (strace/ltrace, network monitoring, memory string extraction, automated sandbox execution), YARA rules for malware detection, shellcode analysis (Unicorn Engine, Capstone), memory forensics for malware (Volatility 3 malfind, process injection detection), anti-analysis techniques (VM detection, timing evasion, API hashing, process injection)
  • c2-and-protocols.md - C2 traffic patterns, custom crypto protocols, RC4 WebSocket, DNS-based C2, network indicators, PCAP analysis, AES-CBC, encryption ID, Telegram bot recovery, Poison Ivy RAT Camellia decryption
  • pe-and-dotnet.md - PE analysis (peframe, pe-sieve, pestudio), .NET analysis (dnSpy, AsmResolver), LimeRAT extraction, sandbox evasion, malware config extraction, PyInstaller+PyArmor

When to Pivot

  • If the sample is really just a normal crackme, packed challenge binary, or custom VM with no malware behavior, switch to /ctf-reverse.
  • If the main job is network reconstruction, disk carving, or host artifact recovery, switch to /ctf-forensics.
  • If the challenge turns into public attribution or infrastructure tracing, switch to /ctf-osint.

Quick Start Commands

# Static analysis
file suspicious_file
strings -n 8 suspicious_file | head -50
xxd suspicious_file | head -20

# PE analysis
python3 -c "import pefile; pe=pefile.PE('mal.exe'); print(pe.dump_info())" | head
peframe mal.exe

# Dynamic analysis (sandboxed!)
strace -f -s 200 ./suspicious 2>&1 | head -100
ltrace ./suspicious 2>&1 | head -50

# Network indicators
strings suspicious_file | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
strings suspicious_file | grep -iE 'http|ftp|ws://'

# YARA scan
yara -r rules.yar suspicious_file

Obfuscated Scripts

  • Replace eval/bash with echo to print underlying code; extract base64/hex blobs and analyze with file. See scripts-and-obfuscation.md.

JavaScript & PowerShell Deobfuscation

  • JS: Replace eval with console.log, decode unescape(), atob(), String.fromCharCode().
  • PowerShell: Decode -enc base64, replace IEX with output. See scripts-and-obfuscation.md.

Junk Code Detection

  • NOP sleds, push/pop pairs, dead writes, unconditional jumps to next instruction. Filter to extract real call targets. See scripts-and-obfuscation.md.

PCAP & Network Analysis

tshark -r file.pcap -Y "tcp.stream eq X" -T fields -e tcp.payload

Look for C2 on unusual ports. Extract IPs/domains with strings | grep. See c2-and-protocols.md.

Custom Crypto Protocols

  • Stream ciphers share keystream state for both directions; concatenate ALL payloads chronologically.
  • ChaCha20 keystream extraction: send nullbytes (0 XOR anything = anything). See c2-and-protocols.md.

C2 Traffic Patterns

  • Beaconing, DGA, DNS tunneling, HTTP(S) with custom headers, encoded payloads. See c2-and-protocols.md.

RC4-Encrypted WebSocket C2

  • Remap port with tcprewrite, add RSA key for TLS decryption, find RC4 key in binary. See c2-and-protocols.md.

Identifying Encryption Algorithms

  • AES: 0x637c777b S-box; ChaCha20: expand 32-byte k; TEA/XTEA: 0x9E3779B9; RC4: sequential S-box init. See c2-and-protocols.md.

AES-CBC in Malware

  • Key = MD5/SHA256 of hardcoded string; IV = first 16 bytes of ciphertext. See c2-and-protocols.md.

PE Analysis

peframe malware.exe      # Quick triage
pe-sieve                 # Runtime analysis
pestudio                 # Static analysis (Windows)

See pe-and-dotnet.md.

.NET Malware Analysis

  • Use dnSpy/ILSpy for decompilation; AsmResolver for programmatic analysis. LimeRAT C2: AES-256-ECB with MD5-derived key. See pe-and-dotnet.md.

Malware Configuration Extraction

  • Check .data section, PE/.NET resources, registry keys, encrypted config files. See pe-and-dotnet.md.

Sandbox Evasion Checks

  • VM detection, debugger detection, timing checks, environment checks, analysis tool detection. See pe-and-dotnet.md.

Anti-Analysis Techniques

VM detection (CPUID, MAC prefix, registry, disk size), timing evasion (sleep/RDTSC sandbox detection), API hashing (ROR13/DJB2/CRC32 + hashdb lookup), process injection (hollowing, APC, CreateRemoteThread), environment checks. See scripts-and-obfuscation.md.

PyInstaller + PyArmor Unpacking

  • pyinstxtractor.py to extract, PyArmor-Unpacker for protected code. See pe-and-dotnet.md.

Telegram Bot Evidence Recovery

  • Use bot token from malware source to call getUpdates and getFile APIs. See c2-and-protocols.md.

Debian Package Analysis

ar -x package.deb && tar -xf control.tar.xz  # Check postinst scripts

See scripts-and-obfuscation.md.

YARA Rules for Malware Detection

Write YARA rules to match byte patterns, strings, and regex against files or memory dumps. Detect XOR loops ({31 ?? 80 ?? ?? 4? 75}), base64 blobs, encoded PowerShell. Use yarac to compile for faster scanning. See scripts-and-obfuscation.md.

Shellcode Analysis

Disassemble with objdump -b binary -m i386:x86-64, emulate with Unicorn Engine (hook syscalls safely), or use Capstone for programmatic disassembly. Look for XOR decoder stubs. See scripts-and-obfuscation.md.

Memory Forensics for Malware

vol3 windows.malfind detects injected code (PAGE_EXECUTE_READWRITE without mapped file). windows.pstree reveals suspicious parent-child relationships. YARA scan memory with yarascan.YaraScan. See scripts-and-obfuscation.md.

Network Indicators Quick Reference

strings malware | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort -u
Usage Guidance
This skill is essentially a detailed malware-analysis cheat-sheet and is internally consistent with that purpose. However: - Do NOT run these commands on your primary machine. The instructions intentionally run and inspect malicious samples, read process memory, and call network captures — run only in an isolated, up-to-date VM or hardened sandbox with no sensitive data or network access to production systems. - Several commands require sudo or elevated privileges (tcpdump, reading /proc/<pid>/mem, installing packages). Grant those only in controlled environments. - The skill contains examples that use tokens (Telegram bot token) and shows how to fetch data when such a token is present — never supply real production tokens unless you understand the consequences. The skill does not require any env vars by default. - There is a metadata mismatch: SKILL.md sets user-invocable: "false" while registry metadata indicates the skill is user-invocable. Verify which is intended before enabling autonomous invocation. - Verify the skill author/source before installing or following instructions; this bundle came from an unknown source. If you plan to allow the agent to execute commands, restrict the agent's execution privileges and network access (no internet or limited/monitored egress) and prefer manual invocation rather than autonomous runs.
Capability Assessment
Purpose & Capability
Name/description match the content: the SKILL.md and supporting docs provide static/dynamic malware-analysis techniques, tool lists, and code snippets. Required capabilities (running strace/tcpdump, reading memory, installing analysis packages) are consistent with that purpose. Minor inconsistency: SKILL.md metadata sets user-invocable: "false" while the registry flags list user-invocable as enabled.
Instruction Scope
Instructions explicitly direct the agent/operator to run and monitor potentially malicious samples (strace/ltrace, tcpdump, running samples, dumping /proc/<pid>/mem, using sudo), to install many analysis packages, and to call external APIs (e.g., Telegram API examples). These are expected for malware analysis but are high-risk operations: they require privileged access and an isolated sandbox. The instructions do not attempt to read unrelated secrets or other skills' configs.
Install Mechanism
This is instruction-only (no install spec or code files executed by installer). The SKILL.md lists packages to pip/apt/brew-install, but no automated download/install steps are embedded in the skill itself. That minimizes installer risk.
Credentials
The skill requests no environment variables, credentials, or config paths. Some examples show use of tokens (Telegram bot token) as part of analysis workflows — these are placeholders for analyst-supplied secrets and not required by the skill itself. Overall, requested environment access is proportionate to malware-analysis tasks.
Persistence & Privilege
The skill is not marked always:true and has no install-time persistence. It does require a filesystem-capable agent to fully follow its instructions (metadata notes compatibility with agents that can run bash/Python), which is expected for an analysis guide. Note the metadata/user-invocable mismatch mentioned above.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install ctf-malware
  3. After installation, invoke the skill by name or use /ctf-malware
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of the ctf-malware skill. - Provides quick-reference techniques and tool commands for malware analysis in CTF challenges. - Covers static/dynamic analysis, obfuscated scripts, shellcode, PE/.NET files, network/PCAP analysis, C2 protocols, memory forensics, and anti-analysis techniques. - Includes prerequisites and installation commands for required tools and libraries. - Offers step-by-step quick start, tool usage, and pivot guidance to related skills. - Links to supporting files for in-depth technique explanations and code examples.
Metadata
Slug ctf-malware
Version 1.0.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Ctf Malware?

Provides malware analysis and network traffic techniques for CTF challenges. Use when analyzing obfuscated scripts, malicious packages, custom crypto protoco... It is an AI Agent Skill for Claude Code / OpenClaw, with 173 downloads so far.

How do I install Ctf Malware?

Run "/install ctf-malware" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Ctf Malware free?

Yes, Ctf Malware is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Ctf Malware support?

Ctf Malware is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Ctf Malware?

It is built and maintained by gandli (@gandli); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments