mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,21 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2025 Anthropic Agent Skills Contributors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
@@ -0,0 +1,97 @@
|
||||
# API Reference: Bootkit and Rootkit Analysis Tools
|
||||
|
||||
## dd - Boot Sector Extraction
|
||||
|
||||
### Syntax
|
||||
```bash
|
||||
dd if=/dev/sda of=mbr.bin bs=512 count=1 # MBR
|
||||
dd if=/dev/sda of=first_track.bin bs=512 count=63 # First track
|
||||
dd if=/dev/sda1 of=vbr.bin bs=512 count=1 # VBR
|
||||
```
|
||||
|
||||
## ndisasm - 16-bit Disassembly
|
||||
|
||||
### Syntax
|
||||
```bash
|
||||
ndisasm -b16 mbr.bin > mbr_disasm.txt
|
||||
ndisasm -b16 -o 0x7C00 mbr.bin # Set origin to MBR load address
|
||||
```
|
||||
|
||||
### Key Flags
|
||||
| Flag | Description |
|
||||
|------|-------------|
|
||||
| `-b16` | 16-bit real-mode disassembly |
|
||||
| `-b32` | 32-bit protected-mode |
|
||||
| `-o` | Origin address offset |
|
||||
|
||||
## UEFITool - Firmware Analysis
|
||||
|
||||
### CLI Syntax
|
||||
```bash
|
||||
UEFIExtract firmware.rom all # Extract all modules
|
||||
UEFIExtract firmware.rom <GUID> body # Extract specific module body
|
||||
```
|
||||
|
||||
### Output
|
||||
Extracts firmware volumes into a directory tree with each DXE driver, PEI module, and option ROM as separate files identified by GUID.
|
||||
|
||||
## chipsec - Hardware Security Assessment
|
||||
|
||||
### Syntax
|
||||
```bash
|
||||
python chipsec_main.py -m common.secureboot.variables # Check Secure Boot
|
||||
python chipsec_main.py -m common.bios_wp # SPI write protection
|
||||
python chipsec_main.py -m common.spi_lock # SPI lock status
|
||||
python chipsec_util.py spi dump firmware.rom # Dump SPI flash
|
||||
```
|
||||
|
||||
### Key Modules
|
||||
| Module | Purpose |
|
||||
|--------|---------|
|
||||
| `common.secureboot.variables` | Verify Secure Boot configuration |
|
||||
| `common.bios_wp` | Check BIOS write protection |
|
||||
| `common.spi_lock` | Verify SPI flash lock bits |
|
||||
| `common.smm` | SMM protection verification |
|
||||
|
||||
## Volatility 3 - Rootkit Detection Plugins
|
||||
|
||||
### Syntax
|
||||
```bash
|
||||
vol3 -f memory.dmp <plugin>
|
||||
```
|
||||
|
||||
### Rootkit Detection Plugins
|
||||
| Plugin | Purpose |
|
||||
|--------|---------|
|
||||
| `windows.ssdt` | System Service Descriptor Table hooks |
|
||||
| `windows.callbacks` | Kernel callback registrations |
|
||||
| `windows.driverscan` | Scan for driver objects |
|
||||
| `windows.modules` | List loaded kernel modules |
|
||||
| `windows.psscan` | Pool-tag scan for processes (finds hidden) |
|
||||
| `windows.pslist` | Active process list (DKOM-affected) |
|
||||
| `windows.idt` | Interrupt Descriptor Table hooks |
|
||||
|
||||
### Output Format
|
||||
```
|
||||
Offset Order Module Section Owner
|
||||
------- ----- ------ ------- -----
|
||||
0x... 0 ntoskrnl.exe .text ntoskrnl.exe
|
||||
0x... 73 UNKNOWN - rootkit.sys ← suspicious
|
||||
```
|
||||
|
||||
## flashrom - SPI Flash Dumping
|
||||
|
||||
### Syntax
|
||||
```bash
|
||||
flashrom -p internal -r firmware.rom # Read/dump
|
||||
flashrom -p internal -w clean.rom # Write/reflash
|
||||
flashrom -p internal --verify clean.rom # Verify flash contents
|
||||
```
|
||||
|
||||
## YARA - Firmware Pattern Scanning
|
||||
|
||||
### Syntax
|
||||
```bash
|
||||
yara -r uefi_malware.yar firmware.rom
|
||||
yara -s -r rules.yar firmware.rom # Show matching strings
|
||||
```
|
||||
@@ -0,0 +1,196 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Bootkit and rootkit analysis agent for MBR/VBR/UEFI inspection and rootkit detection."""
|
||||
|
||||
import struct
|
||||
import hashlib
|
||||
import os
|
||||
import sys
|
||||
import subprocess
|
||||
import math
|
||||
from collections import Counter
|
||||
|
||||
|
||||
def read_mbr(disk_path_or_file):
|
||||
"""Read and parse the first 512 bytes (MBR) from a disk image or device."""
|
||||
with open(disk_path_or_file, "rb") as f:
|
||||
mbr = f.read(512)
|
||||
return mbr
|
||||
|
||||
|
||||
def validate_mbr_signature(mbr_data):
|
||||
"""Check the MBR boot signature at bytes 510-511 (should be 0x55AA)."""
|
||||
sig = mbr_data[510:512]
|
||||
valid = sig == b"\x55\xAA"
|
||||
return valid, sig.hex()
|
||||
|
||||
|
||||
def parse_partition_table(mbr_data):
|
||||
"""Parse the four 16-byte partition table entries starting at offset 446."""
|
||||
partitions = []
|
||||
for i in range(4):
|
||||
offset = 446 + (i * 16)
|
||||
entry = mbr_data[offset:offset + 16]
|
||||
if entry == b"\x00" * 16:
|
||||
continue
|
||||
boot_flag = entry[0]
|
||||
part_type = entry[4]
|
||||
start_lba = struct.unpack_from("<I", entry, 8)[0]
|
||||
size_lba = struct.unpack_from("<I", entry, 12)[0]
|
||||
partitions.append({
|
||||
"index": i + 1,
|
||||
"active": boot_flag == 0x80,
|
||||
"type_id": f"0x{part_type:02X}",
|
||||
"start_lba": start_lba,
|
||||
"size_sectors": size_lba,
|
||||
"size_mb": round(size_lba * 512 / (1024 * 1024), 1),
|
||||
})
|
||||
return partitions
|
||||
|
||||
|
||||
BOOTKIT_SIGNATURES = {
|
||||
b"\xE8\x00\x00\x5E\x81\xEE": "TDL4/Alureon bootkit",
|
||||
b"\xFA\x33\xC0\x8E\xD0\xBC\x00\x7C\x8B\xF4\x50\x07": "Standard Windows MBR (clean)",
|
||||
b"\xEB\x5A\x90\x4E\x54\x46\x53": "Standard NTFS VBR (clean)",
|
||||
b"\xEB\x52\x90\x4E\x54\x46\x53": "NTFS VBR variant (clean)",
|
||||
b"\x33\xC0\x8E\xD0\xBC\x00\x7C": "Windows 10 MBR (clean)",
|
||||
}
|
||||
|
||||
|
||||
def scan_bootkit_signatures(data):
|
||||
"""Scan boot sector data against known bootkit signatures."""
|
||||
matches = []
|
||||
for sig, name in BOOTKIT_SIGNATURES.items():
|
||||
if sig in data:
|
||||
offset = data.find(sig)
|
||||
matches.append({"signature": name, "offset": offset, "clean": "clean" in name})
|
||||
return matches
|
||||
|
||||
|
||||
def calculate_entropy(data):
|
||||
"""Calculate Shannon entropy of binary data."""
|
||||
if not data:
|
||||
return 0.0
|
||||
counter = Counter(data)
|
||||
length = len(data)
|
||||
entropy = -sum(
|
||||
(count / length) * math.log2(count / length)
|
||||
for count in counter.values()
|
||||
)
|
||||
return round(entropy, 4)
|
||||
|
||||
|
||||
def read_first_track(disk_path, num_sectors=63):
|
||||
"""Read the first track (typically 63 sectors) for extended bootkit code."""
|
||||
with open(disk_path, "rb") as f:
|
||||
data = f.read(num_sectors * 512)
|
||||
return data
|
||||
|
||||
|
||||
def analyze_boot_code(mbr_data):
|
||||
"""Analyze MBR bootstrap code (bytes 0-445) for suspicious patterns."""
|
||||
boot_code = mbr_data[:446]
|
||||
entropy = calculate_entropy(boot_code)
|
||||
sha256 = hashlib.sha256(boot_code).hexdigest()
|
||||
suspicious_patterns = []
|
||||
# Check for INT 13h hooking (common bootkit technique)
|
||||
if b"\xCD\x13" in boot_code:
|
||||
count = boot_code.count(b"\xCD\x13")
|
||||
suspicious_patterns.append(f"INT 13h calls: {count}")
|
||||
# Check for far jumps to unusual addresses
|
||||
if b"\xEA" in boot_code:
|
||||
suspicious_patterns.append("Far JMP instruction found")
|
||||
# Check for self-modifying code patterns
|
||||
if b"\xF3\xA4" in boot_code or b"\xF3\xA5" in boot_code:
|
||||
suspicious_patterns.append("REP MOVSB/MOVSW (memory copy, possible code relocation)")
|
||||
return {
|
||||
"entropy": entropy,
|
||||
"sha256": sha256,
|
||||
"high_entropy": entropy > 6.5,
|
||||
"suspicious_patterns": suspicious_patterns,
|
||||
}
|
||||
|
||||
|
||||
def run_volatility_rootkit_scan(memory_dump, plugin):
|
||||
"""Run a Volatility 3 plugin for rootkit detection via subprocess."""
|
||||
cmd = f"vol3 -f {memory_dump} {plugin}"
|
||||
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
|
||||
return result.stdout, result.stderr, result.returncode
|
||||
|
||||
|
||||
def detect_kernel_rootkit(memory_dump):
|
||||
"""Run multiple Volatility plugins to detect kernel-level rootkit artifacts."""
|
||||
plugins = [
|
||||
"windows.ssdt",
|
||||
"windows.callbacks",
|
||||
"windows.driverscan",
|
||||
"windows.modules",
|
||||
"windows.psscan",
|
||||
"windows.pslist",
|
||||
]
|
||||
results = {}
|
||||
for plugin in plugins:
|
||||
stdout, stderr, rc = run_volatility_rootkit_scan(memory_dump, plugin)
|
||||
results[plugin] = {"output": stdout, "error": stderr, "return_code": rc}
|
||||
return results
|
||||
|
||||
|
||||
def compare_process_lists(pslist_output, psscan_output):
|
||||
"""Compare pslist and psscan output to find hidden processes (DKOM)."""
|
||||
pslist_pids = set()
|
||||
psscan_pids = set()
|
||||
for line in pslist_output.splitlines():
|
||||
parts = line.split()
|
||||
if len(parts) >= 2 and parts[1].isdigit():
|
||||
pslist_pids.add(int(parts[1]))
|
||||
for line in psscan_output.splitlines():
|
||||
parts = line.split()
|
||||
if len(parts) >= 2 and parts[1].isdigit():
|
||||
psscan_pids.add(int(parts[1]))
|
||||
hidden = psscan_pids - pslist_pids
|
||||
return hidden
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
print("=" * 60)
|
||||
print("Bootkit & Rootkit Analysis Agent")
|
||||
print("MBR/VBR inspection, UEFI firmware analysis, rootkit detection")
|
||||
print("=" * 60)
|
||||
|
||||
# Demo with a sample MBR file if available
|
||||
demo_mbr = "mbr.bin"
|
||||
if len(sys.argv) > 1:
|
||||
demo_mbr = sys.argv[1]
|
||||
|
||||
if os.path.exists(demo_mbr):
|
||||
print(f"\n[*] Analyzing: {demo_mbr}")
|
||||
mbr = read_mbr(demo_mbr)
|
||||
valid, sig_hex = validate_mbr_signature(mbr)
|
||||
print(f"[*] MBR Signature: 0x{sig_hex.upper()} ({'Valid' if valid else 'INVALID'})")
|
||||
|
||||
partitions = parse_partition_table(mbr)
|
||||
print(f"[*] Partition entries: {len(partitions)}")
|
||||
for p in partitions:
|
||||
active = "Active" if p["active"] else "Inactive"
|
||||
print(f" Part {p['index']}: Type={p['type_id']} {active} "
|
||||
f"Start=LBA {p['start_lba']} Size={p['size_mb']} MB")
|
||||
|
||||
sigs = scan_bootkit_signatures(mbr)
|
||||
for s in sigs:
|
||||
tag = "[*]" if s["clean"] else "[!]"
|
||||
print(f"{tag} Signature match: {s['signature']} at offset {s['offset']}")
|
||||
|
||||
analysis = analyze_boot_code(mbr)
|
||||
print(f"[*] Boot code entropy: {analysis['entropy']}"
|
||||
f" ({'HIGH - possible encryption' if analysis['high_entropy'] else 'Normal'})")
|
||||
print(f"[*] Boot code SHA-256: {analysis['sha256']}")
|
||||
for pat in analysis["suspicious_patterns"]:
|
||||
print(f"[!] {pat}")
|
||||
else:
|
||||
print(f"\n[DEMO] No MBR file provided. Usage: {sys.argv[0]} <mbr.bin | /dev/sda>")
|
||||
print("[DEMO] Provide a 512-byte MBR dump or disk device for analysis.")
|
||||
print("\n[*] Supported analysis:")
|
||||
print(" - MBR/VBR signature validation and bootkit detection")
|
||||
print(" - Partition table parsing and anomaly detection")
|
||||
print(" - Boot code entropy and pattern analysis")
|
||||
print(" - Volatility-based kernel rootkit detection (SSDT, callbacks, DKOM)")
|
||||
print(" - UEFI firmware module inspection via chipsec subprocess")
|
||||
Reference in New Issue
Block a user