creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-static-malware-analysis-with-pe-studio/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

61 lines
2.1 KiB
Markdown
Raw Blame History

# API Reference: Static Malware Analysis with PE Studio Agent
## Overview
Performs automated static analysis of Windows PE binaries using pefile to inspect headers, sections, imports, strings, and resources for malware indicators.
## Dependencies
| Package | Version | Purpose |
|---------|---------|---------|
| pefile | >= 2023.2.7 | PE file parsing and section analysis |
| hashlib | stdlib | MD5, SHA-1, SHA-256 hash computation |
## Core Functions
### `compute_hashes(filepath)`
Generates MD5, SHA-1, SHA-256 hashes and file size.
- **Returns**: `dict` with `md5`, `sha1`, `sha256`, `size`
### `analyze_sections(pe)`
Inspects PE sections for entropy, virtual/raw size ratios, and packing indicators.
- **Flags**: `HIGH_ENTROPY` (>7.0), `HIGH_VR_RATIO` (>10x)
- **Returns**: `list[dict]` - section analysis entries
### `detect_packer(pe)`
Identifies known packer section names (UPX, ASPack, VMProtect, Themida) and low import counts.
- **Returns**: `list[str]` - detected packer names
### `analyze_imports(pe)`
Categorizes imports into Process Injection, Keylogging, Persistence, Evasion, Network, Crypto.
- **Returns**: `list[dict]` with `category`, `dll`, `function`
### `extract_strings(filepath, min_length=6)`
Extracts ASCII strings and classifies into URLs, IPs, emails, registry keys, file paths.
- **Returns**: `dict[str, list[str]]` - categorized string indicators
### `analyze_resources(pe)`
Inspects PE resources for high-entropy data and embedded PE files.
- **Returns**: `list[dict]` with `type_id`, `size`, `entropy`, `flags`
### `analyze_pe(filepath)`
Full analysis pipeline producing structured report.
- **Returns**: `dict` - complete analysis report
## Suspicious Import Categories
| Category | Example Functions |
|----------|-------------------|
| Process Injection | VirtualAllocEx, WriteProcessMemory, CreateRemoteThread |
| Keylogging | GetAsyncKeyState, SetWindowsHookExA |
| Persistence | RegSetValueExA, CreateServiceA |
| Evasion | IsDebuggerPresent, CheckRemoteDebuggerPresent |
| Network | InternetOpenA, URLDownloadToFileA, WSAStartup |
| Crypto | CryptEncrypt, CryptDecrypt |
## Usage
```bash
python agent.py suspect.exe
```
Reference in New Issue View Git Blame Copy Permalink