← 返回 Skills 市场
gandli

Ctf Malware

作者 gandli · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ 安全检测通过
173
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install ctf-malware
功能描述
Provides malware analysis and network traffic techniques for CTF challenges. Use when analyzing obfuscated scripts, malicious packages, custom crypto protoco...
使用说明 (SKILL.md)

CTF Malware & Network Analysis

Quick reference for malware analysis CTF challenges. Each technique has a one-liner here; see supporting files for full details with code.

Prerequisites

Python packages (all platforms):

pip install yara-python pefile capstone oletools unicorn pycryptodome \
  volatility3 dissect.cobaltstrike

Linux (apt):

apt install strace ltrace tshark binwalk binutils

macOS (Homebrew):

brew install wireshark binwalk binutils ghidra

Manual install:

  • dnSpy — GitHub, .NET decompiler (Windows)

Additional Resources

  • scripts-and-obfuscation.md - JavaScript deobfuscation, PowerShell analysis, eval/base64 decoding, junk code detection, hex payloads, Debian package analysis, dynamic analysis techniques (strace/ltrace, network monitoring, memory string extraction, automated sandbox execution), YARA rules for malware detection, shellcode analysis (Unicorn Engine, Capstone), memory forensics for malware (Volatility 3 malfind, process injection detection), anti-analysis techniques (VM detection, timing evasion, API hashing, process injection)
  • c2-and-protocols.md - C2 traffic patterns, custom crypto protocols, RC4 WebSocket, DNS-based C2, network indicators, PCAP analysis, AES-CBC, encryption ID, Telegram bot recovery, Poison Ivy RAT Camellia decryption
  • pe-and-dotnet.md - PE analysis (peframe, pe-sieve, pestudio), .NET analysis (dnSpy, AsmResolver), LimeRAT extraction, sandbox evasion, malware config extraction, PyInstaller+PyArmor

When to Pivot

  • If the sample is really just a normal crackme, packed challenge binary, or custom VM with no malware behavior, switch to /ctf-reverse.
  • If the main job is network reconstruction, disk carving, or host artifact recovery, switch to /ctf-forensics.
  • If the challenge turns into public attribution or infrastructure tracing, switch to /ctf-osint.

Quick Start Commands

# Static analysis
file suspicious_file
strings -n 8 suspicious_file | head -50
xxd suspicious_file | head -20

# PE analysis
python3 -c "import pefile; pe=pefile.PE('mal.exe'); print(pe.dump_info())" | head
peframe mal.exe

# Dynamic analysis (sandboxed!)
strace -f -s 200 ./suspicious 2>&1 | head -100
ltrace ./suspicious 2>&1 | head -50

# Network indicators
strings suspicious_file | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
strings suspicious_file | grep -iE 'http|ftp|ws://'

# YARA scan
yara -r rules.yar suspicious_file

Obfuscated Scripts

  • Replace eval/bash with echo to print underlying code; extract base64/hex blobs and analyze with file. See scripts-and-obfuscation.md.

JavaScript & PowerShell Deobfuscation

  • JS: Replace eval with console.log, decode unescape(), atob(), String.fromCharCode().
  • PowerShell: Decode -enc base64, replace IEX with output. See scripts-and-obfuscation.md.

Junk Code Detection

  • NOP sleds, push/pop pairs, dead writes, unconditional jumps to next instruction. Filter to extract real call targets. See scripts-and-obfuscation.md.

PCAP & Network Analysis

tshark -r file.pcap -Y "tcp.stream eq X" -T fields -e tcp.payload

Look for C2 on unusual ports. Extract IPs/domains with strings | grep. See c2-and-protocols.md.

Custom Crypto Protocols

  • Stream ciphers share keystream state for both directions; concatenate ALL payloads chronologically.
  • ChaCha20 keystream extraction: send nullbytes (0 XOR anything = anything). See c2-and-protocols.md.

C2 Traffic Patterns

  • Beaconing, DGA, DNS tunneling, HTTP(S) with custom headers, encoded payloads. See c2-and-protocols.md.

RC4-Encrypted WebSocket C2

  • Remap port with tcprewrite, add RSA key for TLS decryption, find RC4 key in binary. See c2-and-protocols.md.

Identifying Encryption Algorithms

  • AES: 0x637c777b S-box; ChaCha20: expand 32-byte k; TEA/XTEA: 0x9E3779B9; RC4: sequential S-box init. See c2-and-protocols.md.

AES-CBC in Malware

  • Key = MD5/SHA256 of hardcoded string; IV = first 16 bytes of ciphertext. See c2-and-protocols.md.

PE Analysis

peframe malware.exe      # Quick triage
pe-sieve                 # Runtime analysis
pestudio                 # Static analysis (Windows)

See pe-and-dotnet.md.

.NET Malware Analysis

  • Use dnSpy/ILSpy for decompilation; AsmResolver for programmatic analysis. LimeRAT C2: AES-256-ECB with MD5-derived key. See pe-and-dotnet.md.

Malware Configuration Extraction

  • Check .data section, PE/.NET resources, registry keys, encrypted config files. See pe-and-dotnet.md.

Sandbox Evasion Checks

  • VM detection, debugger detection, timing checks, environment checks, analysis tool detection. See pe-and-dotnet.md.

Anti-Analysis Techniques

VM detection (CPUID, MAC prefix, registry, disk size), timing evasion (sleep/RDTSC sandbox detection), API hashing (ROR13/DJB2/CRC32 + hashdb lookup), process injection (hollowing, APC, CreateRemoteThread), environment checks. See scripts-and-obfuscation.md.

PyInstaller + PyArmor Unpacking

  • pyinstxtractor.py to extract, PyArmor-Unpacker for protected code. See pe-and-dotnet.md.

Telegram Bot Evidence Recovery

  • Use bot token from malware source to call getUpdates and getFile APIs. See c2-and-protocols.md.

Debian Package Analysis

ar -x package.deb && tar -xf control.tar.xz  # Check postinst scripts

See scripts-and-obfuscation.md.

YARA Rules for Malware Detection

Write YARA rules to match byte patterns, strings, and regex against files or memory dumps. Detect XOR loops ({31 ?? 80 ?? ?? 4? 75}), base64 blobs, encoded PowerShell. Use yarac to compile for faster scanning. See scripts-and-obfuscation.md.

Shellcode Analysis

Disassemble with objdump -b binary -m i386:x86-64, emulate with Unicorn Engine (hook syscalls safely), or use Capstone for programmatic disassembly. Look for XOR decoder stubs. See scripts-and-obfuscation.md.

Memory Forensics for Malware

vol3 windows.malfind detects injected code (PAGE_EXECUTE_READWRITE without mapped file). windows.pstree reveals suspicious parent-child relationships. YARA scan memory with yarascan.YaraScan. See scripts-and-obfuscation.md.

Network Indicators Quick Reference

strings malware | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort -u
安全使用建议
This skill is essentially a detailed malware-analysis cheat-sheet and is internally consistent with that purpose. However: - Do NOT run these commands on your primary machine. The instructions intentionally run and inspect malicious samples, read process memory, and call network captures — run only in an isolated, up-to-date VM or hardened sandbox with no sensitive data or network access to production systems. - Several commands require sudo or elevated privileges (tcpdump, reading /proc/<pid>/mem, installing packages). Grant those only in controlled environments. - The skill contains examples that use tokens (Telegram bot token) and shows how to fetch data when such a token is present — never supply real production tokens unless you understand the consequences. The skill does not require any env vars by default. - There is a metadata mismatch: SKILL.md sets user-invocable: "false" while registry metadata indicates the skill is user-invocable. Verify which is intended before enabling autonomous invocation. - Verify the skill author/source before installing or following instructions; this bundle came from an unknown source. If you plan to allow the agent to execute commands, restrict the agent's execution privileges and network access (no internet or limited/monitored egress) and prefer manual invocation rather than autonomous runs.
能力评估
Purpose & Capability
Name/description match the content: the SKILL.md and supporting docs provide static/dynamic malware-analysis techniques, tool lists, and code snippets. Required capabilities (running strace/tcpdump, reading memory, installing analysis packages) are consistent with that purpose. Minor inconsistency: SKILL.md metadata sets user-invocable: "false" while the registry flags list user-invocable as enabled.
Instruction Scope
Instructions explicitly direct the agent/operator to run and monitor potentially malicious samples (strace/ltrace, tcpdump, running samples, dumping /proc/<pid>/mem, using sudo), to install many analysis packages, and to call external APIs (e.g., Telegram API examples). These are expected for malware analysis but are high-risk operations: they require privileged access and an isolated sandbox. The instructions do not attempt to read unrelated secrets or other skills' configs.
Install Mechanism
This is instruction-only (no install spec or code files executed by installer). The SKILL.md lists packages to pip/apt/brew-install, but no automated download/install steps are embedded in the skill itself. That minimizes installer risk.
Credentials
The skill requests no environment variables, credentials, or config paths. Some examples show use of tokens (Telegram bot token) as part of analysis workflows — these are placeholders for analyst-supplied secrets and not required by the skill itself. Overall, requested environment access is proportionate to malware-analysis tasks.
Persistence & Privilege
The skill is not marked always:true and has no install-time persistence. It does require a filesystem-capable agent to fully follow its instructions (metadata notes compatibility with agents that can run bash/Python), which is expected for an analysis guide. Note the metadata/user-invocable mismatch mentioned above.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install ctf-malware
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /ctf-malware 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of the ctf-malware skill. - Provides quick-reference techniques and tool commands for malware analysis in CTF challenges. - Covers static/dynamic analysis, obfuscated scripts, shellcode, PE/.NET files, network/PCAP analysis, C2 protocols, memory forensics, and anti-analysis techniques. - Includes prerequisites and installation commands for required tools and libraries. - Offers step-by-step quick start, tool usage, and pivot guidance to related skills. - Links to supporting files for in-depth technique explanations and code examples.
元数据
Slug ctf-malware
版本 1.0.0
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 1
常见问题

Ctf Malware 是什么?

Provides malware analysis and network traffic techniques for CTF challenges. Use when analyzing obfuscated scripts, malicious packages, custom crypto protoco... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 173 次。

如何安装 Ctf Malware?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install ctf-malware」即可一键安装,无需额外配置。

Ctf Malware 是免费的吗?

是的,Ctf Malware 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Ctf Malware 支持哪些平台?

Ctf Malware 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Ctf Malware?

由 gandli(@gandli)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论