mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-14 15:04:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
118 lines
3.1 KiB
Markdown
118 lines
3.1 KiB
Markdown
# API Reference: Packed Malware and UPX Analysis
|
|
|
|
## UPX - Ultimate Packer for eXecutables
|
|
|
|
### Syntax
|
|
```bash
|
|
upx -d <packed_file> # Decompress/unpack
|
|
upx -d -o <output> <packed_file> # Unpack to new file
|
|
upx -t <file> # Test if packed
|
|
upx -l <file> # List compression info
|
|
upx --version # Version info
|
|
```
|
|
|
|
### Output Format
|
|
```
|
|
File size Ratio Format Name
|
|
-------------------- ------ ----------- -----------
|
|
184320 <- 98304 53.33% win32/pe malware.exe
|
|
```
|
|
|
|
## pefile - Python PE Analysis
|
|
|
|
### Usage
|
|
```python
|
|
import pefile
|
|
|
|
pe = pefile.PE("sample.exe")
|
|
|
|
# Section analysis
|
|
for section in pe.sections:
|
|
name = section.Name.rstrip(b"\x00").decode()
|
|
entropy = section.get_entropy()
|
|
print(f"{name}: entropy={entropy:.2f}")
|
|
|
|
# Import analysis
|
|
for entry in pe.DIRECTORY_ENTRY_IMPORT:
|
|
dll = entry.dll.decode()
|
|
for imp in entry.imports:
|
|
print(f"{dll}: {imp.name}")
|
|
|
|
pe.close()
|
|
```
|
|
|
|
### Packing Indicators
|
|
| Indicator | Threshold |
|
|
|-----------|-----------|
|
|
| Section entropy | > 7.0 (high, likely packed/encrypted) |
|
|
| Import count | < 10 (few imports suggest packing) |
|
|
| Virtual/Raw ratio | > 5x (large in-memory expansion) |
|
|
| Section names | UPX0, UPX1, .packed, .nsp |
|
|
|
|
## Detect It Easy (DIE) - Packer Identification
|
|
|
|
### Syntax
|
|
```bash
|
|
diec <sample.exe> # CLI scan
|
|
diec -j <sample.exe> # JSON output
|
|
```
|
|
|
|
### Output
|
|
```
|
|
PE32 executable
|
|
Packer: UPX(3.96)[NRV2B_LE32,best]
|
|
Compiler: MSVC(2019)
|
|
```
|
|
|
|
## PEiD - Packer Identification (Legacy)
|
|
|
|
### Packer Signatures Database
|
|
| Packer | Section Names | Magic Bytes |
|
|
|--------|---------------|-------------|
|
|
| UPX | UPX0, UPX1, UPX2 | `UPX!` at end of file |
|
|
| ASPack | .aspack, .adata | N/A |
|
|
| PECompact | .pec1, .pec2 | N/A |
|
|
| Themida | Various | Encrypted sections |
|
|
| VMProtect | .vmp0, .vmp1 | Virtualized code |
|
|
|
|
## PEStudio - Static PE Analysis
|
|
|
|
### Key Indicators
|
|
| Check | Description |
|
|
|-------|-------------|
|
|
| Entropy | Section-level entropy analysis |
|
|
| Imports | API import analysis |
|
|
| Strings | Embedded string extraction |
|
|
| Signatures | Packer/compiler identification |
|
|
| Virustotal | Hash-based lookup |
|
|
|
|
## x64dbg / x32dbg - Dynamic Unpacking
|
|
|
|
### Generic Unpacking Steps
|
|
```
|
|
1. Set breakpoint on VirtualAlloc / VirtualProtect
|
|
2. Run until breakpoint
|
|
3. Check memory map for new RWX regions
|
|
4. Step until original entry point (OEP) reached
|
|
5. Dump memory at OEP using Scylla plugin
|
|
6. Fix import table with Scylla
|
|
```
|
|
|
|
### Key API Breakpoints
|
|
| API | Purpose |
|
|
|-----|---------|
|
|
| `VirtualAlloc` | Memory allocation for unpacked code |
|
|
| `VirtualProtect` | Change memory protection (RWX) |
|
|
| `LoadLibraryA` | Load DLLs for import resolution |
|
|
| `GetProcAddress` | Resolve API addresses |
|
|
| `NtWriteVirtualMemory` | Write unpacked code to memory |
|
|
|
|
## Entropy Interpretation
|
|
|
|
| Range | Interpretation |
|
|
|-------|---------------|
|
|
| 0-1 | Nearly empty/uniform data |
|
|
| 1-5 | Normal code/data |
|
|
| 5-7 | Compressed or obfuscated |
|
|
| 7-8 | Encrypted or packed (maximum ~8.0) |
|