Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
This commit is contained in:
mukul975
2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 Anthropic Agent Skills Contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
@@ -0,0 +1,97 @@
# API Reference: Bootkit and Rootkit Analysis Tools
## dd - Boot Sector Extraction
### Syntax
```bash
dd if=/dev/sda of=mbr.bin bs=512 count=1 # MBR
dd if=/dev/sda of=first_track.bin bs=512 count=63 # First track
dd if=/dev/sda1 of=vbr.bin bs=512 count=1 # VBR
```
## ndisasm - 16-bit Disassembly
### Syntax
```bash
ndisasm -b16 mbr.bin > mbr_disasm.txt
ndisasm -b16 -o 0x7C00 mbr.bin # Set origin to MBR load address
```
### Key Flags
| Flag | Description |
|------|-------------|
| `-b16` | 16-bit real-mode disassembly |
| `-b32` | 32-bit protected-mode |
| `-o` | Origin address offset |
## UEFITool - Firmware Analysis
### CLI Syntax
```bash
UEFIExtract firmware.rom all # Extract all modules
UEFIExtract firmware.rom <GUID> body # Extract specific module body
```
### Output
Extracts firmware volumes into a directory tree with each DXE driver, PEI module, and option ROM as separate files identified by GUID.
## chipsec - Hardware Security Assessment
### Syntax
```bash
python chipsec_main.py -m common.secureboot.variables # Check Secure Boot
python chipsec_main.py -m common.bios_wp # SPI write protection
python chipsec_main.py -m common.spi_lock # SPI lock status
python chipsec_util.py spi dump firmware.rom # Dump SPI flash
```
### Key Modules
| Module | Purpose |
|--------|---------|
| `common.secureboot.variables` | Verify Secure Boot configuration |
| `common.bios_wp` | Check BIOS write protection |
| `common.spi_lock` | Verify SPI flash lock bits |
| `common.smm` | SMM protection verification |
## Volatility 3 - Rootkit Detection Plugins
### Syntax
```bash
vol3 -f memory.dmp <plugin>
```
### Rootkit Detection Plugins
| Plugin | Purpose |
|--------|---------|
| `windows.ssdt` | System Service Descriptor Table hooks |
| `windows.callbacks` | Kernel callback registrations |
| `windows.driverscan` | Scan for driver objects |
| `windows.modules` | List loaded kernel modules |
| `windows.psscan` | Pool-tag scan for processes (finds hidden) |
| `windows.pslist` | Active process list (DKOM-affected) |
| `windows.idt` | Interrupt Descriptor Table hooks |
### Output Format
```
Offset Order Module Section Owner
------- ----- ------ ------- -----
0x... 0 ntoskrnl.exe .text ntoskrnl.exe
0x... 73 UNKNOWN - rootkit.sys ← suspicious
```
## flashrom - SPI Flash Dumping
### Syntax
```bash
flashrom -p internal -r firmware.rom # Read/dump
flashrom -p internal -w clean.rom # Write/reflash
flashrom -p internal --verify clean.rom # Verify flash contents
```
## YARA - Firmware Pattern Scanning
### Syntax
```bash
yara -r uefi_malware.yar firmware.rom
yara -s -r rules.yar firmware.rom # Show matching strings
```
@@ -0,0 +1,196 @@
#!/usr/bin/env python3
"""Bootkit and rootkit analysis agent for MBR/VBR/UEFI inspection and rootkit detection."""
import struct
import hashlib
import os
import sys
import subprocess
import math
from collections import Counter
def read_mbr(disk_path_or_file):
"""Read and parse the first 512 bytes (MBR) from a disk image or device."""
with open(disk_path_or_file, "rb") as f:
mbr = f.read(512)
return mbr
def validate_mbr_signature(mbr_data):
"""Check the MBR boot signature at bytes 510-511 (should be 0x55AA)."""
sig = mbr_data[510:512]
valid = sig == b"\x55\xAA"
return valid, sig.hex()
def parse_partition_table(mbr_data):
"""Parse the four 16-byte partition table entries starting at offset 446."""
partitions = []
for i in range(4):
offset = 446 + (i * 16)
entry = mbr_data[offset:offset + 16]
if entry == b"\x00" * 16:
continue
boot_flag = entry[0]
part_type = entry[4]
start_lba = struct.unpack_from("<I", entry, 8)[0]
size_lba = struct.unpack_from("<I", entry, 12)[0]
partitions.append({
"index": i + 1,
"active": boot_flag == 0x80,
"type_id": f"0x{part_type:02X}",
"start_lba": start_lba,
"size_sectors": size_lba,
"size_mb": round(size_lba * 512 / (1024 * 1024), 1),
})
return partitions
BOOTKIT_SIGNATURES = {
b"\xE8\x00\x00\x5E\x81\xEE": "TDL4/Alureon bootkit",
b"\xFA\x33\xC0\x8E\xD0\xBC\x00\x7C\x8B\xF4\x50\x07": "Standard Windows MBR (clean)",
b"\xEB\x5A\x90\x4E\x54\x46\x53": "Standard NTFS VBR (clean)",
b"\xEB\x52\x90\x4E\x54\x46\x53": "NTFS VBR variant (clean)",
b"\x33\xC0\x8E\xD0\xBC\x00\x7C": "Windows 10 MBR (clean)",
}
def scan_bootkit_signatures(data):
"""Scan boot sector data against known bootkit signatures."""
matches = []
for sig, name in BOOTKIT_SIGNATURES.items():
if sig in data:
offset = data.find(sig)
matches.append({"signature": name, "offset": offset, "clean": "clean" in name})
return matches
def calculate_entropy(data):
"""Calculate Shannon entropy of binary data."""
if not data:
return 0.0
counter = Counter(data)
length = len(data)
entropy = -sum(
(count / length) * math.log2(count / length)
for count in counter.values()
)
return round(entropy, 4)
def read_first_track(disk_path, num_sectors=63):
"""Read the first track (typically 63 sectors) for extended bootkit code."""
with open(disk_path, "rb") as f:
data = f.read(num_sectors * 512)
return data
def analyze_boot_code(mbr_data):
"""Analyze MBR bootstrap code (bytes 0-445) for suspicious patterns."""
boot_code = mbr_data[:446]
entropy = calculate_entropy(boot_code)
sha256 = hashlib.sha256(boot_code).hexdigest()
suspicious_patterns = []
# Check for INT 13h hooking (common bootkit technique)
if b"\xCD\x13" in boot_code:
count = boot_code.count(b"\xCD\x13")
suspicious_patterns.append(f"INT 13h calls: {count}")
# Check for far jumps to unusual addresses
if b"\xEA" in boot_code:
suspicious_patterns.append("Far JMP instruction found")
# Check for self-modifying code patterns
if b"\xF3\xA4" in boot_code or b"\xF3\xA5" in boot_code:
suspicious_patterns.append("REP MOVSB/MOVSW (memory copy, possible code relocation)")
return {
"entropy": entropy,
"sha256": sha256,
"high_entropy": entropy > 6.5,
"suspicious_patterns": suspicious_patterns,
}
def run_volatility_rootkit_scan(memory_dump, plugin):
"""Run a Volatility 3 plugin for rootkit detection via subprocess."""
cmd = f"vol3 -f {memory_dump} {plugin}"
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
return result.stdout, result.stderr, result.returncode
def detect_kernel_rootkit(memory_dump):
"""Run multiple Volatility plugins to detect kernel-level rootkit artifacts."""
plugins = [
"windows.ssdt",
"windows.callbacks",
"windows.driverscan",
"windows.modules",
"windows.psscan",
"windows.pslist",
]
results = {}
for plugin in plugins:
stdout, stderr, rc = run_volatility_rootkit_scan(memory_dump, plugin)
results[plugin] = {"output": stdout, "error": stderr, "return_code": rc}
return results
def compare_process_lists(pslist_output, psscan_output):
"""Compare pslist and psscan output to find hidden processes (DKOM)."""
pslist_pids = set()
psscan_pids = set()
for line in pslist_output.splitlines():
parts = line.split()
if len(parts) >= 2 and parts[1].isdigit():
pslist_pids.add(int(parts[1]))
for line in psscan_output.splitlines():
parts = line.split()
if len(parts) >= 2 and parts[1].isdigit():
psscan_pids.add(int(parts[1]))
hidden = psscan_pids - pslist_pids
return hidden
if __name__ == "__main__":
print("=" * 60)
print("Bootkit & Rootkit Analysis Agent")
print("MBR/VBR inspection, UEFI firmware analysis, rootkit detection")
print("=" * 60)
# Demo with a sample MBR file if available
demo_mbr = "mbr.bin"
if len(sys.argv) > 1:
demo_mbr = sys.argv[1]
if os.path.exists(demo_mbr):
print(f"\n[*] Analyzing: {demo_mbr}")
mbr = read_mbr(demo_mbr)
valid, sig_hex = validate_mbr_signature(mbr)
print(f"[*] MBR Signature: 0x{sig_hex.upper()} ({'Valid' if valid else 'INVALID'})")
partitions = parse_partition_table(mbr)
print(f"[*] Partition entries: {len(partitions)}")
for p in partitions:
active = "Active" if p["active"] else "Inactive"
print(f" Part {p['index']}: Type={p['type_id']} {active} "
f"Start=LBA {p['start_lba']} Size={p['size_mb']} MB")
sigs = scan_bootkit_signatures(mbr)
for s in sigs:
tag = "[*]" if s["clean"] else "[!]"
print(f"{tag} Signature match: {s['signature']} at offset {s['offset']}")
analysis = analyze_boot_code(mbr)
print(f"[*] Boot code entropy: {analysis['entropy']}"
f" ({'HIGH - possible encryption' if analysis['high_entropy'] else 'Normal'})")
print(f"[*] Boot code SHA-256: {analysis['sha256']}")
for pat in analysis["suspicious_patterns"]:
print(f"[!] {pat}")
else:
print(f"\n[DEMO] No MBR file provided. Usage: {sys.argv[0]} <mbr.bin | /dev/sda>")
print("[DEMO] Provide a 512-byte MBR dump or disk device for analysis.")
print("\n[*] Supported analysis:")
print(" - MBR/VBR signature validation and bootkit detection")
print(" - Partition table parsing and anomaly detection")
print(" - Boot code entropy and pattern analysis")
print(" - Volatility-based kernel rootkit detection (SSDT, callbacks, DKOM)")
print(" - UEFI firmware module inspection via chipsec subprocess")