creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-static-malware-analysis-with-pe-studio/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.1 KiB
Raw Blame History

API Reference: Static Malware Analysis with PE Studio Agent

Overview

Performs automated static analysis of Windows PE binaries using pefile to inspect headers, sections, imports, strings, and resources for malware indicators.

Dependencies

Package Version Purpose
pefile >= 2023.2.7 PE file parsing and section analysis
hashlib stdlib MD5, SHA-1, SHA-256 hash computation

Core Functions

compute_hashes(filepath)

Generates MD5, SHA-1, SHA-256 hashes and file size.

  • Returns: dict with md5, sha1, sha256, size

analyze_sections(pe)

Inspects PE sections for entropy, virtual/raw size ratios, and packing indicators.

  • Flags: HIGH_ENTROPY (>7.0), HIGH_VR_RATIO (>10x)
  • Returns: list[dict] - section analysis entries

detect_packer(pe)

Identifies known packer section names (UPX, ASPack, VMProtect, Themida) and low import counts.

  • Returns: list[str] - detected packer names

analyze_imports(pe)

Categorizes imports into Process Injection, Keylogging, Persistence, Evasion, Network, Crypto.

  • Returns: list[dict] with category, dll, function

extract_strings(filepath, min_length=6)

Extracts ASCII strings and classifies into URLs, IPs, emails, registry keys, file paths.

  • Returns: dict[str, list[str]] - categorized string indicators

analyze_resources(pe)

Inspects PE resources for high-entropy data and embedded PE files.

  • Returns: list[dict] with type_id, size, entropy, flags

analyze_pe(filepath)

Full analysis pipeline producing structured report.

  • Returns: dict - complete analysis report

Suspicious Import Categories

Category Example Functions
Process Injection VirtualAllocEx, WriteProcessMemory, CreateRemoteThread
Keylogging GetAsyncKeyState, SetWindowsHookExA
Persistence RegSetValueExA, CreateServiceA
Evasion IsDebuggerPresent, CheckRemoteDebuggerPresent
Network InternetOpenA, URLDownloadToFileA, WSAStartup
Crypto CryptEncrypt, CryptDecrypt

Usage

python agent.py suspect.exe
Reference in New Issue View Git Blame Copy Permalink