Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2026-06-17 00:13:17 +03:00 · 2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
@@ -0,0 +1,97 @@
+# API Reference: Bootkit and Rootkit Analysis Tools
+
+## dd - Boot Sector Extraction
+
+### Syntax
+```bash
+dd if=/dev/sda of=mbr.bin bs=512 count=1          # MBR
+dd if=/dev/sda of=first_track.bin bs=512 count=63  # First track
+dd if=/dev/sda1 of=vbr.bin bs=512 count=1          # VBR
+```
+
+## ndisasm - 16-bit Disassembly
+
+### Syntax
+```bash
+ndisasm -b16 mbr.bin > mbr_disasm.txt
+ndisasm -b16 -o 0x7C00 mbr.bin   # Set origin to MBR load address
+```
+
+### Key Flags
+| Flag | Description |
+|------|-------------|
+| `-b16` | 16-bit real-mode disassembly |
+| `-b32` | 32-bit protected-mode |
+| `-o` | Origin address offset |
+
+## UEFITool - Firmware Analysis
+
+### CLI Syntax
+```bash
+UEFIExtract firmware.rom all             # Extract all modules
+UEFIExtract firmware.rom <GUID> body     # Extract specific module body
+```
+
+### Output
+Extracts firmware volumes into a directory tree with each DXE driver, PEI module, and option ROM as separate files identified by GUID.
+
+## chipsec - Hardware Security Assessment
+
+### Syntax
+```bash
+python chipsec_main.py -m common.secureboot.variables  # Check Secure Boot
+python chipsec_main.py -m common.bios_wp               # SPI write protection
+python chipsec_main.py -m common.spi_lock               # SPI lock status
+python chipsec_util.py spi dump firmware.rom            # Dump SPI flash
+```
+
+### Key Modules
+| Module | Purpose |
+|--------|---------|
+| `common.secureboot.variables` | Verify Secure Boot configuration |
+| `common.bios_wp` | Check BIOS write protection |
+| `common.spi_lock` | Verify SPI flash lock bits |
+| `common.smm` | SMM protection verification |
+
+## Volatility 3 - Rootkit Detection Plugins
+
+### Syntax
+```bash
+vol3 -f memory.dmp <plugin>
+```
+
+### Rootkit Detection Plugins
+| Plugin | Purpose |
+|--------|---------|
+| `windows.ssdt` | System Service Descriptor Table hooks |
+| `windows.callbacks` | Kernel callback registrations |
+| `windows.driverscan` | Scan for driver objects |
+| `windows.modules` | List loaded kernel modules |
+| `windows.psscan` | Pool-tag scan for processes (finds hidden) |
+| `windows.pslist` | Active process list (DKOM-affected) |
+| `windows.idt` | Interrupt Descriptor Table hooks |
+
+### Output Format
+```
+Offset  Order  Module         Section  Owner
+------- -----  ------         -------  -----
+0x...   0      ntoskrnl.exe   .text    ntoskrnl.exe
+0x...   73     UNKNOWN        -        rootkit.sys   ← suspicious
+```
+
+## flashrom - SPI Flash Dumping
+
+### Syntax
+```bash
+flashrom -p internal -r firmware.rom     # Read/dump
+flashrom -p internal -w clean.rom        # Write/reflash
+flashrom -p internal --verify clean.rom  # Verify flash contents
+```
+
+## YARA - Firmware Pattern Scanning
+
+### Syntax
+```bash
+yara -r uefi_malware.yar firmware.rom
+yara -s -r rules.yar firmware.rom   # Show matching strings
+```