creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
04450304b12645cb2b974ab96d28c0664758a88d
Anthropic-Cybersecurity-Skills/skills/analyzing-linux-elf-malware/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

3.1 KiB
Raw Blame History

API Reference: Linux ELF Malware Analysis Tools

readelf - ELF Binary Inspection

Syntax

readelf -h <binary>    # ELF header
readelf -S <binary>    # Section headers
readelf -l <binary>    # Program headers (segments)
readelf -s <binary>    # Symbol table
readelf -d <binary>    # Dynamic section
readelf -r <binary>    # Relocation entries
readelf -n <binary>    # Notes section

Key ELF Header Fields

Field Description
Class 32-bit or 64-bit
Machine Architecture (x86-64, ARM, MIPS)
Type EXEC (executable), DYN (shared object)
Entry point Code execution start address

pyelftools - Python ELF Parsing

Usage

from elftools.elf.elffile import ELFFile

with open("binary", "rb") as f:
    elf = ELFFile(f)
    elf.elfclass          # 32 or 64
    elf.little_endian     # True/False
    elf.header.e_machine  # Architecture
    elf.header.e_entry    # Entry point
    elf.num_sections()    # Section count
    elf.get_section_by_name(".symtab")  # Symbol table

strings - String Extraction

Syntax

strings <binary>                  # ASCII strings (default min 4)
strings -n 8 <binary>            # Minimum 8 characters
strings -e l <binary>            # 16-bit little-endian (Unicode)
strings -t x <binary>            # Print offset in hex

strace - System Call Tracing

Syntax

strace -f ./binary                    # Follow forks
strace -e trace=network ./binary      # Network calls only
strace -e trace=file ./binary         # File operations only
strace -e trace=process ./binary      # Process operations
strace -o output.txt ./binary         # Log to file
strace -c ./binary                    # Summary statistics

Key System Calls

Call Category
socket, connect, bind Network
fork, execve, clone Process
open, read, write, unlink File I/O
ptrace Anti-debug/injection

ltrace - Library Call Tracing

Syntax

ltrace -f ./binary                # Follow child processes
ltrace -e malloc+free ./binary    # Specific functions
ltrace -o output.txt ./binary     # Log to file

GDB - GNU Debugger

Syntax

gdb ./binary
(gdb) break main
(gdb) break *0x400580       # Break at address
(gdb) run
(gdb) info registers
(gdb) x/20s $rdi            # Examine string at RDI
(gdb) x/10i $rip            # Disassemble at RIP
(gdb) bt                    # Backtrace

UPX - Packer Detection/Unpacking

Syntax

upx -t <binary>    # Test if packed
upx -d <binary>    # Decompress/unpack
upx -l <binary>    # List compression details

objdump - Disassembly

Syntax

objdump -d <binary>              # Disassemble .text
objdump -D <binary>              # Disassemble all sections
objdump -M intel -d <binary>     # Intel syntax
objdump -t <binary>              # Symbol table

nm - Symbol Listing

Syntax

nm <binary>        # List symbols
nm -D <binary>     # Dynamic symbols only
nm -u <binary>     # Undefined (imported) symbols
Reference in New Issue View Git Blame Copy Permalink