mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 06:04:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
1.6 KiB
1.6 KiB
API Reference: Extracting Memory Artifacts with Rekall
Rekall Session
from rekall import session
s = session.Session(
filename="/path/to/memory.raw",
autodetect=["rsds"],
profile_path=["https://github.com/google/rekall-profiles/raw/master"]
)
Key Plugins
| Plugin | Purpose | Usage |
|---|---|---|
pslist |
List active processes via EPROCESS | s.plugins.pslist() |
psscan |
Brute-force scan for EPROCESS | s.plugins.psscan() |
malfind |
Detect injected code (VAD) | s.plugins.malfind() |
netscan |
List network connections | s.plugins.netscan() |
dlllist |
List loaded DLLs | s.plugins.dlllist(pids=[pid]) |
vadinfo |
VAD tree analysis | s.plugins.vadinfo(pids=[pid]) |
modules |
List kernel modules | s.plugins.modules() |
handles |
List open handles | s.plugins.handles(pids=[pid]) |
filescan |
Scan for FILE_OBJECT | s.plugins.filescan() |
Hidden Process Detection
pslist_pids = set(p.pid for p in s.plugins.pslist())
psscan_pids = set(p.pid for p in s.plugins.psscan())
hidden = psscan_pids - pslist_pids
Malfind Output Fields
pid: Process IDname: Process nameaddress: VAD start addressprotection: Memory protection (PAGE_EXECUTE_READWRITE = suspicious)tag: Pool tag
Command Line
rekall -f memory.raw pslist
rekall -f memory.raw malfind
rekall -f memory.raw netscan
rekall -f memory.raw dlllist --pid 1234
References
- Rekall: https://github.com/google/rekall
- Rekall docs: https://rekall.readthedocs.io/
- Rekall profiles: https://github.com/google/rekall-profiles