0X6C7879/ctf-malware
skills/ctf-malware/SKILL.md
Provides malware analysis and network traffic techniques for CTF challenges. Use when analyzing obfuscated scripts, malicious packages, custom crypto protocols, C2 traffic, PE/.NET binaries, RC4/AES encrypted communications, YARA rules, shellcode analysis, memory forensics for malware (Volatility malfind, process injection detection), anti-analysis techniques (VM/sandbox detection, timing evasion, API hashing, process injection, environment checks), or extracting malware configurations and indicators of compromise.
$ install --global
skillsauthnpx skillsauth add 0X6C7879/aegissec ctf-malwareInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 4:43 AM145.6s4 files scanned
SKILL.md
- name:
- ctf-malware
- description:
- Provides malware analysis and network traffic techniques for CTF challenges. Use when analyzing obfuscated scripts, malicious packages, custom crypto protocols, C2 traffic, PE/.NET binaries, RC4/AES encrypted communications, YARA rules, shellcode analysis, memory forensics for malware (Volatility malfind, process injection detection), anti-analysis techniques (VM/sandbox detection, timing evasion, API hashing, process injection, environment checks), or extracting malware configurations and indicators of compromise.
- license:
- MIT
- compatibility:
- Requires filesystem-based agent (Claude Code or similar) with bash, Python 3, and internet access for tool installation.
- allowed-tools:
- Bash Read Write Edit Glob Grep Task WebFetch WebSearch
- user-invocable:
- false
CTF Malware & Network Analysis
Quick reference for malware analysis CTF challenges. Each technique has a one-liner here; see supporting files for full details with code.
Prerequisites
Python packages (all platforms):
pip install yara-python pefile capstone oletools unicorn pycryptodome \
volatility3 dissect.cobaltstrike
Linux (apt):
apt install strace ltrace tshark binwalk binutils
macOS (Homebrew):
brew install wireshark binwalk binutils ghidra
Manual install:
- dnSpy — GitHub, .NET decompiler (Windows)
Additional Resources
- scripts-and-obfuscation.md - JavaScript deobfuscation, PowerShell analysis, eval/base64 decoding, junk code detection, hex payloads, Debian package analysis, dynamic analysis techniques (strace/ltrace, network monitoring, memory string extraction, automated sandbox execution), YARA rules for malware detection, shellcode analysis (Unicorn Engine, Capstone), memory forensics for malware (Volatility 3 malfind, process injection detection), anti-analysis techniques (VM detection, timing evasion, API hashing, process injection), trojanized plugin analysis with custom alphabet C2 decoding
- c2-and-protocols.md - C2 traffic patterns, custom crypto protocols, RC4 WebSocket, DNS-based C2, network indicators, PCAP analysis, AES-CBC, encryption ID, Telegram bot recovery, Poison Ivy RAT Camellia decryption
- pe-and-dotnet.md - PE analysis (peframe, pe-sieve, pestudio), .NET analysis (dnSpy, AsmResolver), LimeRAT extraction, sandbox evasion, malware config extraction, PyInstaller+PyArmor
When to Pivot
- If the sample is really just a normal crackme, packed challenge binary, or custom VM with no malware behavior, switch to
/ctf-reverse. - If the main job is network reconstruction, disk carving, or host artifact recovery, switch to
/ctf-forensics. - If the challenge turns into public attribution or infrastructure tracing, switch to
/ctf-osint.
Quick Start Commands
# Static analysis
file suspicious_file
strings -n 8 suspicious_file | head -50
xxd suspicious_file | head -20
# PE analysis
python3 -c "import pefile; pe=pefile.PE('mal.exe'); print(pe.dump_info())" | head
peframe mal.exe
# Dynamic analysis (sandboxed!)
strace -f -s 200 ./suspicious 2>&1 | head -100
ltrace ./suspicious 2>&1 | head -50
# Network indicators
strings suspicious_file | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
strings suspicious_file | grep -iE 'http|ftp|ws://'
# YARA scan
yara -r rules.yar suspicious_file
Obfuscated Scripts
- Replace
eval/bashwithechoto print underlying code; extract base64/hex blobs and analyze withfile. See scripts-and-obfuscation.md.
JavaScript & PowerShell Deobfuscation
- JS: Replace
evalwithconsole.log, decodeunescape(),atob(),String.fromCharCode(). - PowerShell: Decode
-encbase64, replaceIEXwith output. See scripts-and-obfuscation.md.
Junk Code Detection
- NOP sleds, push/pop pairs, dead writes, unconditional jumps to next instruction. Filter to extract real
calltargets. See scripts-and-obfuscation.md.
PCAP & Network Analysis
tshark -r file.pcap -Y "tcp.stream eq X" -T fields -e tcp.payload
Look for C2 on unusual ports. Extract IPs/domains with strings | grep. See c2-and-protocols.md.
Custom Crypto Protocols
- Stream ciphers share keystream state for both directions; concatenate ALL payloads chronologically.
- ChaCha20 keystream extraction: send nullbytes (0 XOR anything = anything). See c2-and-protocols.md.
C2 Traffic Patterns
- Beaconing, DGA, DNS tunneling, HTTP(S) with custom headers, encoded payloads. See c2-and-protocols.md.
RC4-Encrypted WebSocket C2
- Remap port with
tcprewrite, add RSA key for TLS decryption, find RC4 key in binary. See c2-and-protocols.md.
Identifying Encryption Algorithms
- AES:
0x637c777bS-box; ChaCha20:expand 32-byte k; TEA/XTEA:0x9E3779B9; RC4: sequential S-box init. See c2-and-protocols.md.
AES-CBC in Malware
- Key = MD5/SHA256 of hardcoded string; IV = first 16 bytes of ciphertext. See c2-and-protocols.md.
PE Analysis
peframe malware.exe # Quick triage
pe-sieve # Runtime analysis
pestudio # Static analysis (Windows)
See pe-and-dotnet.md.
.NET Malware Analysis
- Use dnSpy/ILSpy for decompilation; AsmResolver for programmatic analysis. LimeRAT C2: AES-256-ECB with MD5-derived key. See pe-and-dotnet.md.
Malware Configuration Extraction
- Check .data section, PE/.NET resources, registry keys, encrypted config files. See pe-and-dotnet.md.
Sandbox Evasion Checks
- VM detection, debugger detection, timing checks, environment checks, analysis tool detection. See pe-and-dotnet.md.
Anti-Analysis Techniques
VM detection (CPUID, MAC prefix, registry, disk size), timing evasion (sleep/RDTSC sandbox detection), API hashing (ROR13/DJB2/CRC32 + hashdb lookup), process injection (hollowing, APC, CreateRemoteThread), environment checks. See scripts-and-obfuscation.md.
Trojanized Plugin Analysis
Diff malicious plugin against official release to find injected code in try/except blocks. Custom alphabet rotation (C[(C.index(ch) - offset) % len(C)]) decodes C2 domain, XOR decodes endpoint path. See scripts-and-obfuscation.md.
PyInstaller + PyArmor Unpacking
pyinstxtractor.pyto extract, PyArmor-Unpacker for protected code. See pe-and-dotnet.md.
Telegram Bot Evidence Recovery
- Use bot token from malware source to call
getUpdatesandgetFileAPIs. See c2-and-protocols.md.
Debian Package Analysis
ar -x package.deb && tar -xf control.tar.xz # Check postinst scripts
See scripts-and-obfuscation.md.
YARA Rules for Malware Detection
Write YARA rules to match byte patterns, strings, and regex against files or memory dumps. Detect XOR loops ({31 ?? 80 ?? ?? 4? 75}), base64 blobs, encoded PowerShell. Use yarac to compile for faster scanning. See scripts-and-obfuscation.md.
Shellcode Analysis
Disassemble with objdump -b binary -m i386:x86-64, emulate with Unicorn Engine (hook syscalls safely), or use Capstone for programmatic disassembly. Look for XOR decoder stubs. See scripts-and-obfuscation.md.
Memory Forensics for Malware
vol3 windows.malfind detects injected code (PAGE_EXECUTE_READWRITE without mapped file). windows.pstree reveals suspicious parent-child relationships. YARA scan memory with yarascan.YaraScan. See scripts-and-obfuscation.md.
Network Indicators Quick Reference
strings malware | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort -u
Related Skills
0X6C7879/wooyun-legacy
development
VerifiedTrustedCommunity
WooYun-derived business-logic testing methodology for web apps and APIs. Use when the request involves 支付、退款、订单、越权、认证、授权、价格篡改或业务流程绕过 review, especially black-box probing for price tampering, account takeover, and process bypass flaws.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/windows-privilege-escalation
tools
VerifiedTrustedCommunity
Escalate privileges on Windows systems using service misconfigurations, DLL hijacking, token manipulation, UAC bypasses, registry exploits, and credential dumping. Use when performing Windows post-exploitation or privilege escalation.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/tunnel
development
VerifiedTrustedCommunity
Use when performing AD pentest tunneling and pivoting, especially with Ligolo-ng, Chisel, frp, proxychains, SSH forwarding, SOCKS relays, reverse tunnels, or when internal reachability is the main blocker.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/threat-modeling
development
VerifiedTrustedCommunity
Threat model, security audit, find vulnerabilities, check security of my app, risk assessment, penetration test prep, analyze attack surface, what could an attacker exploit. Use this skill whenever a user wants holistic security analysis of a codebase, application, or project. MUST be invoked instead of analyzing security yourself — it runs a specialized 8-phase STRIDE workflow producing professional deliverables you cannot generate alone: risk assessment reports, DFD diagrams, threat inventories, attack path validation, mitigation plans, and pentest plans. Trigger on: 威胁建模, 安全评估, 渗透测试, 安全分析, 安全审计, 安全检查, 风险评估. NOT for: fixing one specific bug, adding one security feature (rate limiting, CORS), writing tests, CI/CD setup, or debugging errors.
2SKILL.mdUpdated Apr 22, 2026