Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2026-06-14 15:04:56 +03:00 · 2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
@@ -0,0 +1,119 @@
+# API Reference: Linux ELF Malware Analysis Tools
+
+## readelf - ELF Binary Inspection
+
+### Syntax
+```bash
+readelf -h <binary>    # ELF header
+readelf -S <binary>    # Section headers
+readelf -l <binary>    # Program headers (segments)
+readelf -s <binary>    # Symbol table
+readelf -d <binary>    # Dynamic section
+readelf -r <binary>    # Relocation entries
+readelf -n <binary>    # Notes section
+```
+
+### Key ELF Header Fields
+| Field | Description |
+|-------|-------------|
+| `Class` | 32-bit or 64-bit |
+| `Machine` | Architecture (x86-64, ARM, MIPS) |
+| `Type` | EXEC (executable), DYN (shared object) |
+| `Entry point` | Code execution start address |
+
+## pyelftools - Python ELF Parsing
+
+### Usage
+```python
+from elftools.elf.elffile import ELFFile
+
+with open("binary", "rb") as f:
+    elf = ELFFile(f)
+    elf.elfclass          # 32 or 64
+    elf.little_endian     # True/False
+    elf.header.e_machine  # Architecture
+    elf.header.e_entry    # Entry point
+    elf.num_sections()    # Section count
+    elf.get_section_by_name(".symtab")  # Symbol table
+```
+
+## strings - String Extraction
+
+### Syntax
+```bash
+strings <binary>                  # ASCII strings (default min 4)
+strings -n 8 <binary>            # Minimum 8 characters
+strings -e l <binary>            # 16-bit little-endian (Unicode)
+strings -t x <binary>            # Print offset in hex
+```
+
+## strace - System Call Tracing
+
+### Syntax
+```bash
+strace -f ./binary                    # Follow forks
+strace -e trace=network ./binary      # Network calls only
+strace -e trace=file ./binary         # File operations only
+strace -e trace=process ./binary      # Process operations
+strace -o output.txt ./binary         # Log to file
+strace -c ./binary                    # Summary statistics
+```
+
+### Key System Calls
+| Call | Category |
+|------|----------|
+| `socket`, `connect`, `bind` | Network |
+| `fork`, `execve`, `clone` | Process |
+| `open`, `read`, `write`, `unlink` | File I/O |
+| `ptrace` | Anti-debug/injection |
+
+## ltrace - Library Call Tracing
+
+### Syntax
+```bash
+ltrace -f ./binary                # Follow child processes
+ltrace -e malloc+free ./binary    # Specific functions
+ltrace -o output.txt ./binary     # Log to file
+```
+
+## GDB - GNU Debugger
+
+### Syntax
+```bash
+gdb ./binary
+(gdb) break main
+(gdb) break *0x400580       # Break at address
+(gdb) run
+(gdb) info registers
+(gdb) x/20s $rdi            # Examine string at RDI
+(gdb) x/10i $rip            # Disassemble at RIP
+(gdb) bt                    # Backtrace
+```
+
+## UPX - Packer Detection/Unpacking
+
+### Syntax
+```bash
+upx -t <binary>    # Test if packed
+upx -d <binary>    # Decompress/unpack
+upx -l <binary>    # List compression details
+```
+
+## objdump - Disassembly
+
+### Syntax
+```bash
+objdump -d <binary>              # Disassemble .text
+objdump -D <binary>              # Disassemble all sections
+objdump -M intel -d <binary>     # Intel syntax
+objdump -t <binary>              # Symbol table
+```
+
+## nm - Symbol Listing
+
+### Syntax
+```bash
+nm <binary>        # List symbols
+nm -D <binary>     # Dynamic symbols only
+nm -u <binary>     # Undefined (imported) symbols
+```